Users getting logged out randomly

Get help with installation and running phpBB 3.3.x here. Please do not post bug reports, feature requests, or extension related questions here.
Fanchen
Registered User
Posts: 6
Joined: Wed Jan 15, 2020 10:56 am

Users getting logged out randomly

Post by Fanchen »

Support Request Template
What version of phpBB are you using? phpBB 3.3.0
What is your board's URL? https://dunkle-arche.de
Who do you host your board with? self hosted
How did you install your board? I used the download package from phpBB.com
What is the most recent action performed on your board? Update from a previous version of phpBB3
Is registration required to reproduce this issue? Yes
Do you have any MODs installed? No
Do you have any extensions installed? Yes
What version of phpBB3 did you update from? I believe that was 3.2.4
What extensions do you have installed?
24 hour activity stats
Avatar resize
Board Rules
Genders
Header Banner
Hide Bots
Lightbox
LMDI Multilinks
phpBB Display Age Users
phpBB Emojis
phpBB Gallery
phpBB Gallery Add-on: ACP Cleanup
phpBB Gallery Add-on: ACP Import
phpBB Gallery Add-on: Exif
phpBB Studio - Emoji
Posts merging
Simple mentions
What styles do you currently have installed? we_universal, Black
What language(s) is your board currently using? British English, German (Casual Honorifics)
Which database type/version are you using? MariaDB
What is your level of experience? Comfortable with PHP and phpBB
What username can be used to view this issue? No answer given
What password can be used to view this issue? No answer given
What actions did you take (updating your board; installing a MOD, style or extension; etc.) prior to this problem becoming noticeable? Likely the upgrade to 3.3
Please describe your problem. Some users are randomly logged out of the forum. That's especially noticeable when using Blueimp's AJAXChat, as they are instantly logged out of the chat as well.
I can't find a way to reliably reproduce the problem, for some users it happens fairly often and makes using the chat very annoying, for others (like me) it happens very rarely. For me, it's less than once a week. For some, it happens every couple of hours, and for some even more often.
It doesn't seem to be related to activities on the forum, as it can easily happen when users are only active in the chat or on other, unrelated websites.
I'm not sure if the browser has an impact on this, but at least Safari and Chrome are affected.

Cookie domain: .dunkle-arche.de
Cookie name: phpbb3_doz86 - I changed it a few days ago in an attempt to fix the problem
Cookie Path is /
SSL active

Session length: 28800 seconds
Generated by SRT Generator
User avatar
Elias
Registered User
Posts: 5152
Joined: Sat Feb 25, 2006 4:31 pm
Name: Elias

Re: Users getting logged out randomly

Post by Elias »

Is your cookie secure enabled?

Session length, i honestly never changed it so the default 3600 should be fine.
"Mystery creates wonder, and wonder is the basis of man's desire to understand." - Neil Armstrong
|Installing Extensions|Writing Extensions|Extension Validation Policy|
User avatar
EA117
Registered User
Posts: 2173
Joined: Wed Aug 15, 2018 3:23 am

Re: Users getting logged out randomly

Post by EA117 »

I wasn't able to duplicate any behavior like "the server unexpectedly assigned me a new session" that might have correlated to the symptom you're chasing, for what it's worth. Just hitting the site as guest, without being actually logged on. If you wanted to give a test account with limited access that you could delete later, maybe there would be more to observe when actually logged in and/or with chat access.

The Ajax Chat login didn't appear to have any chance of success on a phpBB 3.2.6 or later board. Since if you're not already logged in, it makes no effort at trying to produce the necessary form token. But that's probably to be expected, since I only seem them declaring support for phpBB 3.1.x integration. I'm not sure if your users actually would be encountering that though, when they're already logged into phpBB. This would be an issue if and when Ajax Chat decided to present it's own dialog and tries to invoke ucp.php?mode=login with the information collected.
radikul
Registered User
Posts: 22
Joined: Fri May 22, 2020 4:51 pm

Re: Users getting logged out randomly

Post by radikul »

I'm having a similar problem but it coincided with a new template install so I thought that may be the problem?
Fanchen
Registered User
Posts: 6
Joined: Wed Jan 15, 2020 10:56 am

Re: Users getting logged out randomly

Post by Fanchen »

@Elias
Yes, secure cookie is enabled (that's what I meant with "SSL active").
I increased the session length, otherwise users are logged out of the chat after an hour, if I remember correctly.

@EA117
User: Test
Password: test_password

I don't believe chat access is the cause of the problem, as I got reports of this happening from users who don't use the chat. It's probably less noticeable and annoying.

I personally don't care too much about the chat login working, on the long term, the Chat will probably be replaced anyway. It's quite outdated in other respects as well.

@radikul
Template as in style? I thought the style might be the cause, but it's updated to 3.3 and I received reports of the problem from users with prosilver as well.
I made slight modifications to the base style (the template?), though. Mostly related to the chat, so I can display current chat users in the "Who's online" section. I'll have a closer look at that later this week.
User avatar
EA117
Registered User
Posts: 2173
Joined: Wed Aug 15, 2018 3:23 am

Re: Users getting logged out randomly

Post by EA117 »

Fanchen wrote: Wed May 27, 2020 5:39 pm I don't believe chat access is the cause of the problem, as I got reports of this happening from users who don't use the chat. It's probably less noticeable and annoying.

I personally don't care too much about the chat login working, on the long term, the Chat will probably be replaced anyway. It's quite outdated in other respects as well.
Haven't been successful in duplicating any problem behavior, for what it's worth. Lots of quick movement around the board, entering an exiting chat, then leaving it sit for an hour, then leaving it sit for multiple hours, the phpBB board was still willing to continue letting me have my same logged-on session ID.

I'll check in there a few more times just in case I can finally see something, but the site doesn't seem to be showing some kind of "fundamental issue" like short session time or inability to persist new sessions. One of the pages I was served also invoked the tidy_sessions cron task for the board, so that seems to be working fine too.

If you view the "Who Is Online" while logged in as an admin, it shows you the IP addresses of the users hitting the board. Are they all independent unique addresses for the most part? Or do they all appear to be coming from the same address, as though your hosting provider might have you behind some kind of cache or other proxy?
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26864
Joined: Fri Aug 29, 2008 9:49 am

Re: Users getting logged out randomly

Post by Mick »

The cookies are correct.
  • "The more connected we get the more alone we become” - Kyle Broflovski© 🇬🇧
Fanchen
Registered User
Posts: 6
Joined: Wed Jan 15, 2020 10:56 am

Re: Users getting logged out randomly

Post by Fanchen »

@EA117
I've never seen any indication of a proxy being used, everytime I looked at the "Who is online" section the IP addresses looked unique.

Is there any way to log the reasons for session termination? That might be a way to pin down the issue.

Thanks you for the help, btw. It's much appreciated.
User avatar
EA117
Registered User
Posts: 2173
Joined: Wed Aug 15, 2018 3:23 am

Re: Users getting logged out randomly

Post by EA117 »

No, there isn't any optional logging already wrapped around the session matching or creation decisions. To have something like that, we'd just need to custom create some logging code in the session handling. "Everyone has the same IP address" is just one of those things that could have explained why phpBB was having difficultly maintaining the session-to-user relationships. But sounds like that's not the issue.

I'm still not duplicating any fundamental problem here. For the users experiencing this symptom, perhaps suggest or ensure they are using the "Remember me" option when logging in. If they are coming from an ISP that changes the user's IP address frequently, it could be that the problem users are being "logged out" because of that.

In technical terms, what really happens is when they come back seconds or minutes later with a different IP address, phpBB just declares "that IP address no longer matches the user of this existing logged-on session, so I'm going to create a new session for you instead." No session has been "terminated"; they just weren't allowed to continue using the existing session because of the IP address change.

Using "Remember me" can help mitigate that, because if and when such a "doesn't match any more" situation occurs, phpBB will also log in the new session that it creates for the user. So by using "Remember me", although the same underlying IP address change and session behavior is still happening, the user might never notice it now.

Maybe you have too many or wide-spread users having this issue to where this explanation doesn't seem likely to be the root cause. It just does happen to be one explanation that could fit with "why I can't duplicate an issue", because my IP address isn't changing.

How "strict" phpBB is when considering whether the IP address is still the same is what's controlled by the phpBB ACP Security Settings "Session IP validation:" setting. But unless you're truly having the issue with a lot of users, or people frequently getting "form invalid" trying to use the login dialog because their IP address changes during the login attempt, I wouldn't jump too quickly to relax that validation. Better for the users who are on such ISPs to simply enable the "Remember me" option when logging in, and keep the stricter validation for everyone.

Relaxing the verification is still an option, but just widens the window through which someone malicious could try and say "I'm allowed to use this existing logged-on session" when it really belongs to some other user. It's still kind of difficult and rare to actually do that, so if relaxing the verification is deemed to help, it's definitely a valid option. Just maybe not "plan A", if it can be helped.
Fanchen
Registered User
Posts: 6
Joined: Wed Jan 15, 2020 10:56 am

Re: Users getting logged out randomly

Post by Fanchen »

A user who gets logged out after only a couple of minutes helped me with some tests.
I checked their IP in the chat, and even after getting logged out and logging back in, that did not change.
The "remember me" option didn't change much either, they reported that another user tried the same without success. That may only refer to the chat, though: At least on one occasion, they weren't logged out of the forum, only the chat.
The IP may have some effect anyway. I noticed that after one logout, while the chat reported an IPv6 address, the "Who is online" displayed an IPv4 address. for the user. I can't think of a reason why that would happen, the user uses only a single device and after the next login, the forum also displayed the IPv6 address.

I only just noticed that you mentioned the "form invalid": The same user also has problems with that on login.
Maybe there is something wrong with dual-stack IPs. That could explain why some users experience the problem very frequently, while other don't. My ISP doesn't support IPv6 at all.

Sadly, with the IPv6/IPv4 change, there is no "mild" IP verification option. So, I currently have it turned off and will report back if the problem persists. It looks promising so far.

Edit: More information on the "form invalid": I had that reported by certain other users as well, and they said that it happens every time on login. Any idea why that might be the case? Could I have messed up my server configuration somehow?

Edit2: Then again, the problems started around the time I upgraded to 3.3. I remember that something about the login was changed with 3.3 or one of the later 3.2.x versions. Could that be causing problems with IPv6/IPv4 changes?
User avatar
EA117
Registered User
Posts: 2173
Joined: Wed Aug 15, 2018 3:23 am

Re: Users getting logged out randomly

Post by EA117 »

Fanchen wrote: Sat May 30, 2020 11:34 pm The IP may have some effect anyway. I noticed that after one logout, while the chat reported an IPv6 address, the "Who is online" displayed an IPv4 address. for the user. I can't think of a reason why that would happen, the user uses only a single device and after the next login, the forum also displayed the IPv6 address.
It does seem like if the client machine and ISP was capable of IPv6 to the web server, it would "want to do that every time" rather than just "sometimes." I haven't fought with any IPv6 issues; maybe someone else here recognized that symptom behavior.

If it was happening to me on my board, the way I would think to mitigate it would be to only create IPv4 addresses in the A records for my DNS name, so that no one would know what IPv6 address to connect to even if they wanted to. But that's not understanding or fixing the real problem.

Fanchen wrote: Sat May 30, 2020 11:34 pm I only just noticed that you mentioned the "form invalid": The same user also has problems with that on login.
Maybe there is something wrong with dual-stack IPs. That could explain why some users experience the problem very frequently, while other don't.
Yes, the "last access was with IPv4 address, and current access is with IPv6 address" counts as an IP address "change" in this context. Even though their IPv4 address and IPv6 addresses themselves may have remained static or stable. It's phpBB's perspective of "not the same IP address as you used last time" which is in play here.

Fanchen wrote: Sat May 30, 2020 11:34 pm More information on the "form invalid": I had that reported by certain other users as well, and they said that it happens every time on login. Any idea why that might be the case? Could I have messed up my server configuration somehow?
Have them clear their cookies if you haven't already. There does seem to be some yet-unaddressed scenario in which phpBB ostensibly should have known to send new Set-Cookie directives in order to update existing browser cookies, but which doesn't currently happen. And so only manually deleting the cookies works around it. So only if it remains "a problem at every login" after deleting the cookies so that they will be re-created is there a chance that maybe you need to look for some more pervasive issue. But most server-side reasons would be affecting all users, including yourself, and not just "some users."

Fanchen wrote: Sat May 30, 2020 11:34 pm Then again, the problems started around the time I upgraded to 3.3. I remember that something about the login was changed with 3.3 or one of the later 3.2.x versions. Could that be causing problems with IPv6/IPv4 changes?
"The problem", meaning its root cause, may have always been there. Updating from phpBB 3.2.4, you would have then seen an "invalid form during login" symptom due to that underlying root cause if you had updated to any phpBB 3.2.6 or later version. There wasn't any "form invalid" check occurring in phpBB 3.2.5 or earlier, specifically for the login form.
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 52794
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve

Re: Users getting logged out randomly

Post by stevemaury »

What is your Session IP validation setting in ACP, Security settings?
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
Fanchen
Registered User
Posts: 6
Joined: Wed Jan 15, 2020 10:56 am

Re: Users getting logged out randomly

Post by Fanchen »

I set it to "None". That's what I meant to say in my last post.

@EA117
I asked them to clear cookies before, I also changed to cookie name (I believe that should have the same effect, but for everyone?). That didn't help.

Neither the "form invalid" nor the logout issue has been reported since I changed the Session IP validation setting, so it probably really is the IPv6/IPv4 thing. Just wondering why that happens at all, as you said, if it's available IPv6 should always be used ...

Return to “[3.3.x] Support Forum”