Forum keeps logging me out

Found an issue with the phpBB system here at NESdev? Use this forum to report problems.

Moderator: Moderators

User avatar
thefox
Posts: 3141
Joined: Mon Jan 03, 2005 10:36 am
Location: Tampere, Finland
Contact:

Forum keeps logging me out

Post by thefox » Mon Aug 26, 2013 6:27 am

Not sure what has happened, or if it's just me, but the forum now keeps logging me out daily (or so) even though I have checked the "Log me on automatically each visit" checkbox when logging in.

Earlier on I (practically) never had to log in manually after ticking the checkbox.
Download STREEMERZ for NES from fauxgame.com! — Some other stuff I've done: fo.aspekt.fi

tepples
Posts: 21708
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: Forum keeps logging me out

Post by tepples » Mon Aug 26, 2013 7:12 am

Are you logging in and out on another device? On a lot of sites, if you click "log out", the site ends all active sessions associated with your user account.

User avatar
koitsu
Posts: 4214
Joined: Sun Sep 19, 2004 9:28 pm
Location: A world gone mad

Re: Forum keeps logging me out

Post by koitsu » Mon Aug 26, 2013 7:35 am

1. Tepple's theory is sound/legitimate,

2. Sometimes this is caused by caching problems with one's browser, where certain cached pages and/or saved cookie data stop working. I've seen this in Firefox and IE over the years, so I would not be surprised if Chrome had similar issues. Clear everything and see if things improve,

3. Sometimes this is caused by issues server-side pertaining to PHP sessions, which on the new server are dropped into /tmp. The "garbage collector" (gc) may also periodically pick them up/nuke them, although the rate at which it does is fairly low (less aggressive than Parodius):

Code: Select all

session

Session Support => enabled
Registered save handlers => files user
Registered serializer handlers => php php_binary

Directive => Local Value => Master Value
session.auto_start => Off => Off
session.bug_compat_42 => On => On
session.bug_compat_warn => On => On
session.cache_expire => 180 => 180
session.cache_limiter => nocache => nocache
session.cookie_domain => no value => no value
session.cookie_httponly => Off => Off
session.cookie_lifetime => 0 => 0
session.cookie_path => / => /
session.cookie_secure => Off => Off
session.entropy_file => no value => no value
session.entropy_length => 0 => 0
session.gc_divisor => 1000 => 1000
session.gc_maxlifetime => 1440 => 1440
session.gc_probability => 1 => 1
session.hash_bits_per_character => 5 => 5
session.hash_function => 0 => 0
session.name => PHPSESSID => PHPSESSID
session.referer_check => no value => no value
session.save_handler => files => files
session.save_path => /tmp => /tmp
session.serialize_handler => php => php
session.use_cookies => On => On
session.use_only_cookies => On => On
session.use_trans_sid => 0 => 0

Note to anyone looking at those and wanting to make some remark: say nothing until you go look at and fully read the PHP documentation for the settings in question.

4. This topic has come up more than once over the years. In most cases it has turned out to be certain user behaviour or oddities like those I've mentioned above,

5. Troubleshooting this is surprisingly difficult,

6. I haven't seen this problem even once, in all the years I've been using the site -- except for one situation: during the server migration/move, and that was easily explained (the FQDN associated with the site (thus cookie) changed, thus understandably confusing the hell out of browsers). However I only access the forum from one place (my home PC).

User avatar
thefox
Posts: 3141
Joined: Mon Jan 03, 2005 10:36 am
Location: Tampere, Finland
Contact:

Re: Forum keeps logging me out

Post by thefox » Mon Aug 26, 2013 12:12 pm

tepples wrote:Are you logging in and out on another device? On a lot of sites, if you click "log out", the site ends all active sessions associated with your user account.

Nope. And moreover, on phpBB that doesn't seem to be the case. And this has happened for several days, on many of which I've definitely not logged in from multiple devices.

koitsu wrote:2. Sometimes this is caused by caching problems with one's browser, where certain cached pages and/or saved cookie data stop working. I've seen this in Firefox and IE over the years, so I would not be surprised if Chrome had similar issues. Clear everything and see if things improve,

Clearing all cookies from *nesdev.com domain(s) was the first thing I tried when this occurred. No luck.

I guess it might be caused by an update of Chrome. Or something. Anyway, it's not a huge deal. I just thought I'd post in case somebody else was seeing the same problem.
Download STREEMERZ for NES from fauxgame.com! — Some other stuff I've done: fo.aspekt.fi

User avatar
James
Posts: 429
Joined: Sat Jan 22, 2005 8:51 am
Location: Chicago, IL
Contact:

Re: Forum keeps logging me out

Post by James » Fri Aug 30, 2013 12:47 pm

This is happening to me too. It first started a few days ago (I think the same day that thefox reported it), on both my PC and iPhone. Since then, it's happened a couple of times on my PC, but my iPhone has stayed logged on.

I'm using Safari on my iPhone, iOS 6.1.4, and Chrome 29.0.1547.62 m on my PC.
get nemulator
http://nemulator.com

User avatar
thefox
Posts: 3141
Joined: Mon Jan 03, 2005 10:36 am
Location: Tampere, Finland
Contact:

Re: Forum keeps logging me out

Post by thefox » Sat Aug 31, 2013 1:22 am

Funny thing. It logged me out again (= displayed the username/password/login fields), but in the "Who is online" block it still displayed: Registered users: bazz, Bing [Bot], Google [Bot], thefox
Download STREEMERZ for NES from fauxgame.com! — Some other stuff I've done: fo.aspekt.fi

User avatar
thefox
Posts: 3141
Joined: Mon Jan 03, 2005 10:36 am
Location: Tampere, Finland
Contact:

Re: Forum keeps logging me out

Post by thefox » Sat Aug 31, 2013 11:57 pm

And some more debugging info. Today, I took a look at the cookies before opening this site:

Code: Select all

Name:   phpbb3_6cazq_k
Content:   cde33d44[censored]
Domain:   .forums.nesdev.com
Path:   /
Send for:   Any kind of connection
Accessible to script:   No (HttpOnly)
Created:   Saturday, August 31, 2013 11:10:50 PM
Expires:   Sunday, August 31, 2014 11:10:50 PM

Name:   phpbb3_6cazq_sid
Content:   ef32d8ce907e904b[censored]
Domain:   .forums.nesdev.com
Path:   /
Send for:   Any kind of connection
Accessible to script:   No (HttpOnly)
Created:   Saturday, August 31, 2013 11:10:50 PM
Expires:   Sunday, August 31, 2014 11:10:50 PM

Name:   phpbb3_6cazq_u
Content:   80
Domain:   .forums.nesdev.com
Path:   /
Send for:   Any kind of connection
Accessible to script:   No (HttpOnly)
Created:   Saturday, August 31, 2013 11:10:50 PM
Expires:   Sunday, August 31, 2014 11:10:50 PM


And after browsing to this site:

Code: Select all

Name:   phpbb3_6cazq_k
Content:   
Domain:   .forums.nesdev.com
Path:   /
Send for:   Any kind of connection
Accessible to script:   No (HttpOnly)
Created:   Sunday, September 1, 2013 8:43:26 AM
Expires:   Monday, September 1, 2014 8:43:26 AM

Name:   phpbb3_6cazq_sid
Content:   8468da1b880cb071[censored]
Domain:   .forums.nesdev.com
Path:   /
Send for:   Any kind of connection
Accessible to script:   No (HttpOnly)
Created:   Sunday, September 1, 2013 8:43:26 AM
Expires:   Monday, September 1, 2014 8:43:26 AM

Name:   phpbb3_6cazq_u
Content:   1
Domain:   .forums.nesdev.com
Path:   /
Send for:   Any kind of connection
Accessible to script:   No (HttpOnly)
Created:   Sunday, September 1, 2013 8:43:26 AM
Expires:   Monday, September 1, 2014 8:43:26 AM


As you can see, phpbb3_6cazq_k got cleared, phpbb3_6cazq_u got reset to a different value, and the session ID also was reset. This makes me think that the server had already purged the session before I opened the site today.

What's strange though is the "Who is online" list. Maybe it's managed separately from the sessions...
Download STREEMERZ for NES from fauxgame.com! — Some other stuff I've done: fo.aspekt.fi

User avatar
infiniteneslives
Posts: 2097
Joined: Mon Apr 04, 2011 11:49 am
Location: WhereverIparkIt, USA
Contact:

Re: Forum keeps logging me out

Post by infiniteneslives » Sun Sep 01, 2013 10:07 am

For what it's worth I've been getting logged out frequently as well. I do login from 3-5 different PCs/devices on a given day, but usually I only have to login again ~once a month or so I'd say.
If you're gonna play the Game Boy, you gotta learn to play it right. -Kenny Rogers

User avatar
tokumaru
Posts: 11438
Joined: Sat Feb 12, 2005 9:43 pm
Location: Rio de Janeiro - Brazil

Re: Forum keeps logging me out

Post by tokumaru » Sun Sep 01, 2013 5:34 pm

Just for the record, I'm not experiencing this problem even though I access the forums from a many different computers/networks. In only one of them I chose to remain logged in, which works just fine.

User avatar
koitsu
Posts: 4214
Joined: Sun Sep 19, 2004 9:28 pm
Location: A world gone mad

Re: Forum keeps logging me out

Post by koitsu » Tue Sep 03, 2013 2:39 am

I'm sorry I can't help a lot with this issue (it'd be easier if I was experiencing it myself), but if it's believed to be a phpBB (forum software) bug, we use 3.0.10 right now and 3.0.11 is the latest. Here's the changelog:

https://www.phpbb.com/support/documents ... on=3#v3010

I did see issues relating to "stuck PMs" fixed in 3.0.11 (some folks here may remember that issue -- unrelated to what we're talking about, but I just happened to notice it while skimming).

3.0.12 is not out yet, but here are the changes proposed so far:

https://www.phpbb.com/support/documents ... on=3#v3011

If the issue is believed to be with PHP, the PHP version used is 5.3.15. The latest is 5.5.3, and if there was a place that was most likely responsible for this, it'd be in the sessions module or (remote possibility) the core.

http://www.php.net/ChangeLog-5.php

My gut feeling is that it's some kind of phpBB "thing", since server-side I don't really see anything that indicates an issue, but it's hard for me to diagnose this (as said, can't really help with that). I did find this:

https://www.phpbb.com/community/docs/FA ... out_issues

What's described here is vague/weird -- the settings are actually under the General tab, under Server Configuration / Load Settings. I've attached two screenshots (01.jpg and 02.jpg) showing what we have these set to. I've also included a screenshot of the Cookie Settings section since some of what thefox mentioned above is referenced there.

Keep in mind two things when looking at these screenshots (but please keep reading):

1) The session timeout value shown is just an indicator of how long you can be actively logged in before the board will automatically log you out. If you are a person who leave a tab open at all times here at the forum, then yes, my understanding is that you will be getting logged out after 3600 seconds of not interacting with the site anywhere; this is by design. Increasing this number might sound like a reasonable thing to do, but then again it may not be a wise thing to do. For example if someone is leaving the browser window/tab to the site open for an entire day, then the number would have to be increased to 60*60*24 = 86400 seconds or thereabouts. I would much rather people just close the damn tab/window when they're done. (I actually generally do not have to re-log-in very often on my setup, it's quite rare, but I also do not use tabs and I do not leave browser windows open indefinitely; I always [X] out of things when I'm done)

2) The settings shown there are phpBB-specific and not PHP-specific; PHP has its own types of control over sessions as well (specifically the GC cleaning up old files, etc.). So these two things require a somewhat "balanced" series of settings that match up well and don't conflict with one another.

Anyway, this caused me to find this post:

https://www.phpbb.com/community/viewtopic.php?t=2015965

Where someone states up front that the "session IP validator" basically looks at the network block you're part of, and requires a session to be valid only if the client IP connecting is within the same /24 (this would be a security measure). So, if your ISP is doing something like NAT'ing your outbound connections to the forum (usually done at workplaces for lots of reasons, but also for load balancing), and the connecting client IP could therefore flip in real-time from 1.2.3.4 to 1.2.9.16 (for example) then I can see this causing a person who was active on the forum to suddenly log out. Remember, this is not your "workstation IP address", this is actually what gets seen IP-address-wise on the nesdev server.

The settings we use permit the last octet to float/change (i.e. the A.B.C method), as indicated in the 03.jpg screenshot. I am happy to try changing this to something else ("None" possibly), but I would much rather not if the root cause can be determined.

But as you can see, there are other security measures phpBB has in place (and some I have blacked out in the screenshot because we do know spammers/etc. show up here and this is not the Moderators board so these posts/this information is public) to also "verify" that the client connecting is who it says it is -- specifically "validating the browser" (probably comparing User-Agent strings), handling situations where the browser (HTTP client) includes the X-Forwarded-For header (this is often use by caching proxies, so if you're at a workplace that uses an HTTP proxy server then this header might be included and your web browser wouldn't be sending it, the proxy server would -- the only way for us to see this would be to use tcpdump on the server, which I cannot do) and also referer validation.

Basically my point here is that there's lots of "stuff" that could cause this to go awry for someone, and troubleshooting it requires familiarity with all the aforementioned things, plus requires that the troubleshooting be done in real-time. For example I cannot go back and look at site (Apache) access logs to track down thefox -- username/etc. is not stored anywhere in the logs, so all I could go off of is IP address, but as I said above if the IP address is shifting around a lot then my greps/etc. are going to be wrong/incorrect (the site gets hit a *lot*).

The best I can do is try to get exact timestamps from you (please include timezone, or if you can just give me UTC timestamps that would make my job much much easier (server log timestamps are in UTC)) when you see the issue start, along with the exact time you had to re-log-in, and I try to figure out if it's the session IP validator that's causing it. I've already grepped through logs and there just isn't enough information to key off of there (no way to correlate an access to a username).

Welcome to The Internet(tm) and Web Crap of today, and what we SAs have to deal with all the time.
Attachments
03.jpg
02.jpg
01.jpg

User avatar
thefox
Posts: 3141
Joined: Mon Jan 03, 2005 10:36 am
Location: Tampere, Finland
Contact:

Re: Forum keeps logging me out

Post by thefox » Tue Sep 03, 2013 3:41 am

koitsu wrote:Where someone states up front that the "session IP validator" basically looks at the network block you're part of, and requires a session to be valid only if the client IP connecting is within the same /24 (this would be a security measure). So, if your ISP is doing something like NAT'ing your outbound connections to the forum (usually done at workplaces for lots of reasons, but also for load balancing), and the connecting client IP could therefore flip in real-time from 1.2.3.4 to 1.2.9.16 (for example) then I can see this causing a person who was active on the forum to suddenly log out. Remember, this is not your "workstation IP address", this is actually what gets seen IP-address-wise on the nesdev server.

The settings we use permit the last octet to float/change (i.e. the A.B.C method), as indicated in the 03.jpg screenshot. I am happy to try changing this to something else ("None" possibly), but I would much rather not if the root cause can be determined.

I'm 99% certain this is not the cause of it because I have a static IP address.

I'm going to try Firefox for a couple of days to see if the same problems occur with it too.
Download STREEMERZ for NES from fauxgame.com! — Some other stuff I've done: fo.aspekt.fi

User avatar
thefox
Posts: 3141
Joined: Mon Jan 03, 2005 10:36 am
Location: Tampere, Finland
Contact:

Re: Forum keeps logging me out

Post by thefox » Wed Sep 04, 2013 8:53 am

The problem doesn't occur on Firefox. So probably a recent update of Chrome changed something that causes phpBB to invalidate the session (maybe the User-Agent changes ever so slightly (that would be strange, though), or something...)
Download STREEMERZ for NES from fauxgame.com! — Some other stuff I've done: fo.aspekt.fi

3gengames
Formerly 65024U
Posts: 2269
Joined: Sat Mar 27, 2010 12:57 pm

Re: Forum keeps logging me out

Post by 3gengames » Wed Sep 04, 2013 5:46 pm

Chrome, up to date on multiple PC's and OS's, no problems.

User avatar
tokumaru
Posts: 11438
Joined: Sat Feb 12, 2005 9:43 pm
Location: Rio de Janeiro - Brazil

Re: Forum keeps logging me out

Post by tokumaru » Sat Sep 07, 2013 8:18 pm

A few days ago I said I wasn't experiencing this problem... well, I am now. I get logged out almost every day. Chrome has updated itself recently, so I suspect that there's something up with that, like thefox suggested.

User avatar
thefox
Posts: 3141
Joined: Mon Jan 03, 2005 10:36 am
Location: Tampere, Finland
Contact:

Re: Forum keeps logging me out

Post by thefox » Sat Sep 21, 2013 1:12 am

I want to add that this is not the only phpBB forum that is logging me out frequently now when using Chrome.
Download STREEMERZ for NES from fauxgame.com! — Some other stuff I've done: fo.aspekt.fi

Post Reply