nesdev.com

Seems like this problem has fixed itself.

_________________
Download STREEMERZ for NES from fauxgame.com! — Some other stuff I've done: fo.aspekt.fi

It looks that way to me too. Everything has worked as expected for a while.

...aaaand now it has started logging me out again.

_________________
Download STREEMERZ for NES from fauxgame.com! — Some other stuff I've done: fo.aspekt.fi

Yearly status report: it's still happening on Chrome. Also the "Hide my online status this session" checkbox doesn't seem to work reliably, although I'm not sure what is its definition of a "session".

_________________
Download STREEMERZ for NES from fauxgame.com! — Some other stuff I've done: fo.aspekt.fi

It hasn't happened to me anymore. Not frequently, at least... it does happen once every couple of weeks, but that doesn't annoy me.

This has been happening to me frequently on one machine I use, using chrome in incognito mode. I do this so when all the private tabs close all he cookies and whatnot are cleared up. However, as long as I keep one private tab open, the session stays alive for the various sites I've logged into. Except here, where if I leave the forum I am almost certainly going to be logged out when I come back. Leaving a forum tab open seems to prevent this for some amount of time.

phpBB's manual states that sessions are based on more than the session ID in your cookie. As an extra measure against session hijacking (e.g. Firesheep) and session fixation, an administrator can set phpBB to validate your public IP address (/16, /24, or the whole thing), the User-agent and Referer headers provided by your browser, and the X-Forwarded-For header provided by a proxy. This means if your DHCP lease expires and you get a different IP address, you might get logged out. Or if you're behind a carrier-grade NAT (common in developing countries and with wireless ISPs) or a transparent proxy (which AOL dial-up was notorious for using), you might get logged out.

NESdev BBS is currently set to these security settings:

• Allow persistent cookies ("Keep me logged in"): On, no expiration
• Restrict a session to a /24's worth of public IP addresses (such as 123.45.67.xx)
• Validate User-agent
• Do not validate X-Forwarded-For
• Validate hostname in Referer of POST requests

And these load settings:

• Users disappear from "Who is online" after 5 minutes
• Sessions expire after 1 hour (I'm not sure if this is an hour after login or an hour after last page view)

And obviously, if you're using private or incognito mode, your browser will toss your session cookie more aggressively.

That theory goes out the window (in my case) since I started this thread when I had a static IP (I don't anymore, but I doubt that the IP address changes very often).


I wonder how pedantic the User-agent check is. Chrome does update itself awfully often...

EDIT: The User-agent seems very likely to be the cause. Just as I wrote this post, I noticed in Chrome's update dialog that it was ready to update after restart, and after I restarted, I had been logged off.

_________________
Download STREEMERZ for NES from fauxgame.com! — Some other stuff I've done: fo.aspekt.fi

I seem to get logoffs too, but only when I am on the commute to work. Only thing that changes is that I am on train WiFi rather than my home network.

_________________
http://www.tmeeco.eu