Stabilizing login

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
LoopyShane
Registered User
Posts: 9
Joined: Sat Jun 18, 2005 10:26 am

Stabilizing login

Post by LoopyShane »

URL: http://www.missionhits.com/support
Template(s) used: custom version of silverblue
Any and all MODs: none
Do you use a port of phpBB: standard version
Version of phpBB: 2.0.15
Version of PHP: 4.3.11
Which database server and version: mysql 4.0.18
Host: Webair dedicated server
Did someone install this for you/who: myself
Is this an upgrade/from what to what: no
Is this a conversion/from what to what: no
Have you searched for your problem: yes
If so, what terms did you try: unstable+login, logout, ip+address
State the nature of your problem: unstable login
Do you have a test account for us: no - you can create one if you want but this applies to your site as well.

My isp has several proxy servers in place that have traffic routed to them (no client side proxy config). The issue comes from the fact that as you change pages the apparent ip address (the proxy you go through) changes and you are no longer logged in.

When they put the proxies in place I got them to put in a bypass for my domain and all was fine, but I have just moved to a dedicated server (they obviously put in an ip address for the bypass) and now they are reluctant to put in a bypass again.

In sessions.php the comments mention that you only compare first 24 bits to overcome load balanced proxies and still keep some security. My ISP has a range of proxies that are not all in the one 24 bit subnet, some are in 203.26.206.xx and others are in 203.28.159.xx

In common.php you use $HTTP_SERVER_VARS['REMOTE_ADDR'].

Using $_SERVER['HTTP_X_FORWARDED_FOR'] if set would appear more useful except it can contain a private address if the first proxy is behind a nat firewall.

From what I can figure so far the true ip address (live ip of the nat router) is included in $_SERVER['HTTP_CACHE_CONTROL'] as bypass-client=xx.xx.xx.xx

$_SERVER['REMOTE_ADDR'] is the isp proxy (from what I read this can be a list of proxies if you go through more than one but from the testing I am doing this doesn't hold true when the first proxy is in a private ip address)

I am not sure if bypass-client holds true when you get routed through several proxies along the way and $_SERVER['REMOTE_ADDR'] becomes a list.

I am trying out the best way to tackle this problem - anyone have any suggestions?
Loams
Registered User
Posts: 35
Joined: Wed Aug 24, 2005 6:28 am

Post by Loams »

Welcome to our terrible world!!! Good luck. Do you think your issue relates to this?
LoopyShane
Registered User
Posts: 9
Joined: Sat Jun 18, 2005 10:26 am

Post by LoopyShane »

Does sound like the same thing - when I get a mod done I will see if he wants to try.
LoopyShane
Registered User
Posts: 9
Joined: Sat Jun 18, 2005 10:26 am

Post by LoopyShane »

I have had success with the following mod.

in the /common.php file about 30 lines from the bottom you will find a line that starts with

Code: Select all

$client_ip = ( !empty($HTTP_SERVER_VARS['
Comment this out and under it add a line as

Code: Select all

$client_ip = getrealip();
At the end of the file (before the ?>) enter the following

Code: Select all

function getrealip() {
    if (isset($_SERVER['HTTP_CACHE_CONTROL'])) {
        $tmpcc=array();
        $tmpcc+= explode(',',$_SERVER['HTTP_CACHE_CONTROL']);
        
        foreach ($tmpcc as $k){
            $k=trim($k);
            if (strcasecmp(substr($k,0,13),"bypass-client") == 0) {
                return substr($k,14); //bypass client = real live ip address
            }
        }
    }
    
    $tmparr = array();
    $tmparr[] = $_SERVER['REMOTE_ADDR'];
    if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $tmparr += explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);
    }
    
    return $tmparr[count($tmparr)-1];
}
If HTTP_CACHE_CONTROL exists and contains bypass-client=xxxxx that will be your live ip address.

Otherwise we put REMOTE_ADDR and HTTP_X_FORWARD_FOR into an array and return the last entry.

The reason for checking for the bypass-client is that it can hold your live ip address and your private ip address (192.168.x.x) will be in HTTP_X_FORWARDED_FOR. I have seen this happen when you have a proxy in the private lan address and your isp uses routed proxy servers (no client proxy config).

The one thing I am unsure of is the order that proxies are added to the HTTP_X_FORWARDED_FOR list (I have been told this can be a coma seperated list of proxies you go through - but I have not been able to find a live example of this).

This may not be the most elegant way and as I mentioned the last proxy in the forwarded for list may be the wrong one but I can't find definite info on this.

As far as my forum goes this stops me getting logged out all the time as I get routed through different proxies.
Loams
Registered User
Posts: 35
Joined: Wed Aug 24, 2005 6:28 am

Post by Loams »

Will give it a bash and let you know, thanks bud
Loams
Registered User
Posts: 35
Joined: Wed Aug 24, 2005 6:28 am

Post by Loams »

Seems to work well for us!!! Will let you know after more forum members comment on their issue.

Please could anyone tell me what the possible repurcussions of this mod would be?
Loams
Registered User
Posts: 35
Joined: Wed Aug 24, 2005 6:28 am

Post by Loams »

Loams wrote: Seems to work well for us!!! Will let you know after more forum members comment on their issue.

Please could anyone tell me what the possible repurcussions of this mod would be?


/bump and it's been working very well for us. All members that had login issues reports that it's been solved.

I am very keen to hear from you guys in the know what the possible repurcussions of this mod would be.

LoopyShane, Thank you very very much
richardr
Registered User
Posts: 17
Joined: Wed Feb 02, 2005 1:20 pm
Location: South Africa

Post by richardr »

Hi, I decided to try and fix my site one last time. My search for a solution brought me to your Topic here, thank goodness. :D

I tried your fix above, and let me tell you, I am sooooo happy. :D
For the first time in Months I am able to browse through my administration
area without being kicked back to the site index, or having half admin, half index screens.

What can I say, You Da Man, You Da Man. :D :D

Thank you so much.
Once having tasted flight you will walk the Earth with your eyes turned skyward.
For there you have been, and there you long to return.
Leonardo Da vincci
Gallione
Registered User
Posts: 10
Joined: Wed Oct 05, 2005 4:10 pm

Post by Gallione »

LoopyShane wrote: I have had success with the following mod.

in the /common.php file about 30 lines from the bottom you will find a line that starts with

Code: Select all

$client_ip = ( !empty($HTTP_SERVER_VARS['
Comment this out and under it add a line as

Code: Select all

$client_ip = getrealip();
At the end of the file (before the ?>) enter the following

Code: Select all

function getrealip() {
    if (isset($_SERVER['HTTP_CACHE_CONTROL'])) {
        $tmpcc=array();
        $tmpcc+= explode(',',$_SERVER['HTTP_CACHE_CONTROL']);
        
        foreach ($tmpcc as $k){
            $k=trim($k);
            if (strcasecmp(substr($k,0,13),"bypass-client") == 0) {
                return substr($k,14); //bypass client = real live ip address
            }
        }
    }
    
    $tmparr = array();
    $tmparr[] = $_SERVER['REMOTE_ADDR'];
    if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $tmparr += explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);
    }
    
    return $tmparr[count($tmparr)-1];
}
If HTTP_CACHE_CONTROL exists and contains bypass-client=xxxxx that will be your live ip address.

Otherwise we put REMOTE_ADDR and HTTP_X_FORWARD_FOR into an array and return the last entry.

The reason for checking for the bypass-client is that it can hold your live ip address and your private ip address (192.168.x.x) will be in HTTP_X_FORWARDED_FOR. I have seen this happen when you have a proxy in the private lan address and your isp uses routed proxy servers (no client proxy config).

The one thing I am unsure of is the order that proxies are added to the HTTP_X_FORWARDED_FOR list (I have been told this can be a coma seperated list of proxies you go through - but I have not been able to find a live example of this).

This may not be the most elegant way and as I mentioned the last proxy in the forwarded for list may be the wrong one but I can't find definite info on this.

As far as my forum goes this stops me getting logged out all the time as I get routed through different proxies.


LoopyShane, the ISP I'm having a problem with uses two different types of cache hardware, one supplied by Netapp, the other by Inktomi. Netapp use HTTP_X_FOWARDED_FOR and Inktomi use HTTP_CLIENT_IP, REMOTE_ADDR just returns the IP of the cache server.

Is there any chance you can adjust your code to include both HHTP variables? That would really help me with monitoring the IP's of the users on the particular ISP (ntl).

cheers.

Galli.
LoopyShane
Registered User
Posts: 9
Joined: Sat Jun 18, 2005 10:26 am

Post by LoopyShane »

Can I get you to give me the infophp() output that has gone through the Inktomi proxy?

If you create a file in the server - say info.php - and in it simply put

Code: Select all

<?php infophp(); ?>
If you are concerned about any info in there I am only interested in Apache Enviroment (I am guessing the server is apache), HTTP Headers Information and the php variables at the bottom. You can cover up anything there if you want as long as I can see the IP addresses in the different fields.

And also the address that you are connecting from so I know which one shows the real address.

When you bring up the page from your machine (or if you can get a client to do it if you) save the page and email it to me, you can edit out any parts you don't want me to see before you send it.
Gallione
Registered User
Posts: 10
Joined: Wed Oct 05, 2005 4:10 pm

Post by Gallione »

LoopyShane wrote: Can I get you to give me the infophp() output that has gone through the Inktomi proxy?

If you create a file in the server - say info.php - and in it simply put

Code: Select all

<?php infophp(); ?>
If you are concerned about any info in there I am only interested in Apache Enviroment (I am guessing the server is apache), HTTP Headers Information and the php variables at the bottom. You can cover up anything there if you want as long as I can see the IP addresses in the different fields.

And also the address that you are connecting from so I know which one shows the real address.

When you bring up the page from your machine (or if you can get a client to do it if you) save the page and email it to me, you can edit out any parts you don't want me to see before you send it.


Thanks, but please pardon my ignorance, where in the server do you want me to place this file?

Cheers, Galli
LoopyShane
Registered User
Posts: 9
Joined: Sat Jun 18, 2005 10:26 am

Post by LoopyShane »

Anywhere you want that is accessible to a web browser, when you place it on the server then open it in your browser - it gives you a page full of info.

If you put it in your websites root folder you would then goto yourdomain.com/info.php and send me what shows up.

If you put it in with your phpbb direstory you might goto yourdomain.com/phpbb/info.php
Gallione
Registered User
Posts: 10
Joined: Wed Oct 05, 2005 4:10 pm

Post by Gallione »

LoopyShane wrote: Anywhere you want that is accessible to a web browser, when you place it on the server then open it in your browser - it gives you a page full of info.

If you put it in your websites root folder you would then goto yourdomain.com/info.php and send me what shows up.

If you put it in with your phpbb direstory you might goto yourdomain.com/phpbb/info.php


ok, put it in my public directory, when I accessed via my Firefox browser, got the following message.

Code: Select all

Fatal error: Call to undefined function: infophp() in /****/*****/public_html/info.php on line 2
I starred out the directories for security reasons. The host is running an apache server.

Hope that helps - Galli[/code]
User avatar
jwunderly
Registered User
Posts: 5740
Joined: Sun Mar 30, 2003 2:18 pm
Location: Easton, PA (in the groove)

Post by jwunderly »

LoopyShane wrote: If you create a file in the server - say info.php - and in it simply put

Code: Select all

<?php infophp(); ?>


didn't you mean

Code: Select all

<? php phpinfo() ?>
?
John (A cranky old man. "Looking for an echo ...")
using any control-panel install/update is like shooting yourself in the foot. It won't kill you, but you're really going to hobble around until it heals.
Using the wrong tools (Front Page, DreamWeaver) gives the same results
Do not PM me for Support!
Gallione
Registered User
Posts: 10
Joined: Wed Oct 05, 2005 4:10 pm

Post by Gallione »

jwunderly wrote:
LoopyShane wrote:If you create a file in the server - say info.php - and in it simply put

Code: Select all

<?php infophp(); ?>


didn't you mean

Code: Select all

<? php phpinfo() ?>
?


LOL, yes he should have.....ok, that gives a lot of information, exactly what would you like?

Actually, email sent....thanks.

The board appears to be more stable for ntl users.....I'd still like to record the correct IP address though when they use the board, for security reasons.
Locked

Return to “2.0.x Support Forum”