Security Settings - Session IP Validation

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
menz01
Registered User
Posts: 121
Joined: Thu Oct 27, 2016 4:45 pm

Security Settings - Session IP Validation

Post by menz01 » Mon Jul 09, 2018 4:10 pm

Hello all,
i recently had to make a change to Security Settings - Session IP Validation where i had to lower it to "None". since i am big on security and hate to reduce security i am reaching out to see if anyone has any information on why i am doing this to my board after not having any issues since installing back in February of this year.

here is some background info on why i had to make the change. as i stated, my board has been in place since Feb. of this year and the setting in question was in its default state. a few weeks ago, possibly a month, i noticed on my cell phone using the chrome browser that when i logged into my forums that as soon as i logged in, i was brought straight back to the logon screen (i dont allow "remember me"). i tried it a few times and got frustrated and since i had firefox on my phone i tried there and it logged in fine. used it that way ever since and thought it was just my issue and i would fix it when i felt like it. then last night another user called me and described the same issue on his phone. i did not ask him the browser he was using though :( so i knew it was a bigger issue than i thought, but not huge as i only got one complaint in the weeks since i first noticed it on my phone.

so now i knew i had to try and fix it. i first deleted all brosing history and cookies on my phone for the chrome browser and that did not fix it. then i hit the google and found a few posts similar to my issue in the 3.0.x forums that suggested lowering the Session IP Validation to "A.B" or "None". lowering to "A.B" did not help me, "None" worked. i confirmed with the other user and he got in as well.

so why am i having to do this 5 months after my board is in place and what holes am i opening up? i like better security and i feel like i am laxing it a bit by doing this. are there any better suggestions?

Thanks in advance

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51784
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Security Settings - Session IP Validation

Post by Brf » Mon Jul 09, 2018 4:46 pm

Session IP Validation ensures that your session is not being accessed from two different IPs. It is only an issue if your ISP is changing your IP radically during your session.

menz01
Registered User
Posts: 121
Joined: Thu Oct 27, 2016 4:45 pm

Re: Security Settings - Session IP Validation

Post by menz01 » Mon Jul 09, 2018 7:46 pm

so why would mine (and now apparently one more of users) be working fime then all of a sudden can't logon when it was set to the default settings. for me it has been weeks like this. your answer seems to me to say that the IP addresses are changing mid session? i guess i dont understand it still

User avatar
canonknipser
Registered User
Posts: 2023
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Security Settings - Session IP Validation

Post by canonknipser » Mon Jul 09, 2018 8:04 pm

menz01 wrote:
Mon Jul 09, 2018 7:46 pm
P addresses are changing mid session? i guess i dont understand it still
IPV4 addresses are a rare good nowadays.
Not all customers are active at the same time. Because of that, some providers (esp. on mobile service) change IP's quite often. If you are not active on your IP, they will suspend your connection after a few minutes and reconnect you with a new IP when your device is busy again. It's not needed for native IPV6, but those are handled the same way.
Nowadays, providers own not only a single block of IPs, but a lot of blocks. As of this, the new IP can differ from your old not only on the last byte or the last two bytes, but in other bytes also.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

Post Reply

Return to “[3.2.x] Support Forum”