Sessions time out

Steephh · February 15, 2011, 05:12:15 PM

Since a few days we have a weird problem on our forum. Some members (not all) lost their 'session' after about 30 minutes after they login. When they visit the forum then, it looks like they are logged in (they can see new unread posts etc), but when they click on anything they are suddenly logged out.

I have tried a few things to fix this. First I have requested everybody to clear their cache/cookies etc. This didn't help.
After that I played with the 'Cookie and Sessions'-settings and tried different combinations of settings. Our settings are now:

Cookiename: ABC1234
Default Cookie Length (in minutes): 1440
Enable Local Storage of cookies: No
Use Subdomain Independent Cookies: Yes
Use Database Driven Sessions: Yes
Allow browsers To Go Back To Cached Pages: Yes
Seconds before an unused session timeout: 2880

In the error-log their are a lot of errors like these:

http://forum.com/index.php?action=login2 [nofollow]
Password incorrect - Steephh

Don't know what they mean, but I didn't log in at that time the error appeared (and I guess so didn't the other members).

Arantor · February 15, 2011, 05:22:54 PM

And are there a ton of 'incorrect password' errors in the log?

Steephh · February 15, 2011, 05:39:42 PM

Since this problem appeared (13 february) 138 error's of this type.

Baby Daisy · February 15, 2011, 05:41:38 PM

There is a bot raid going on, where bots attempt to login as a member to spam.

They try to login so much that the flood control kicks in, thus logging out that member.

Steephh · February 15, 2011, 05:45:42 PM

Well, I don't think that's the problem because there are not so much errors that it looks like a bot raid. And only certainly users have this problem, others not.

Unless not each login attempt is logged but only the ones that aren't in the same timespan of x minutes. If this is so, is there a workaround for this? Maybe it is possible to block ip's who log in several times (>10 times) with a wrong password?

Arantor · February 15, 2011, 06:03:50 PM

Quote from: Steephh on February 15, 2011, 05:45:42 PM
Well, I don't think that's the problem because there are not so much errors that it looks like a bot raid. And only certainly users have this problem, others not.

It IS a bot raid. It's just slow and seemingly random.

QuoteUnless not each login attempt is logged but only the ones that aren't in the same timespan of x minutes. If this is so, is there a workaround for this? Maybe it is possible to block ip's who log in several times (>10 times) with a wrong password?

The requests are from different IPs each time.

Illori · February 15, 2011, 06:05:42 PM

there are several posts in this forum about this issue, the best idea at this point is to upgrade to the latest 2.0 RC5 or 1.1.13

Steephh · February 15, 2011, 06:12:39 PM

Hmm it looks like you are all right! Well, we need to upgrade then!

Thanks for all your advice!

News:

Sessions time out