Text only | Text with Images

Simple Machines Community Forum

SMF Development => Bug Reports => Fixed or Bogus Bugs => Topic started by: Steephh on February 15, 2011, 05:12:15 PM

Title: Sessions time out
Post by: Steephh on February 15, 2011, 05:12:15 PM
Since a few days we have a weird problem on our forum. Some members (not all) lost their 'session' after about 30 minutes after they login. When they visit the forum then, it looks like they are logged in (they can see new unread posts etc), but when they click on anything they are suddenly logged out.

I have tried a few things to fix this. First I have requested everybody to clear their cache/cookies etc. This didn't help.
After that I played with the 'Cookie and Sessions'-settings and tried different combinations of settings. Our settings are now:

Cookiename: ABC1234
Default Cookie Length (in minutes): 1440
Enable Local Storage of cookies: No
Use Subdomain Independent Cookies: Yes
Use Database Driven Sessions: Yes
Allow browsers To Go Back To Cached Pages: Yes
Seconds before an unused session timeout: 2880

In the error-log their are a lot of errors like these:

http://forum.com/index.php?action=login2
Password incorrect - Steephh

Don't know what they mean, but I didn't log in at that time the error appeared (and I guess so didn't the other members).
Title: Re: Sessions time out
Post by: Arantor on February 15, 2011, 05:22:54 PM
And are there a ton of 'incorrect password' errors in the log?
Title: Re: Sessions time out
Post by: Steephh on February 15, 2011, 05:39:42 PM
Since this problem appeared (13 february) 138 error's of this type.
Title: Re: Sessions time out
Post by: Baby Daisy on February 15, 2011, 05:41:38 PM
There is a bot raid going on, where bots attempt to login as a member to spam.

They try to login so much that the flood control kicks in, thus logging out that member.
Title: Re: Sessions time out
Post by: Steephh on February 15, 2011, 05:45:42 PM
Well, I don't think that's the problem because there are not so much errors that it looks like a bot raid. And only certainly users have this problem, others not.

Unless not each login attempt is logged but only the ones that aren't in the same timespan of x minutes. If this is so, is there a workaround for this? Maybe it is possible to block ip's who log in several times (>10 times) with a wrong password?
Title: Re: Sessions time out
Post by: Arantor on February 15, 2011, 06:03:50 PM
Quote from: Steephh on February 15, 2011, 05:45:42 PM
Well, I don't think that's the problem because there are not so much errors that it looks like a bot raid. And only certainly users have this problem, others not.

It IS a bot raid. It's just slow and seemingly random.

QuoteUnless not each login attempt is logged but only the ones that aren't in the same timespan of x minutes. If this is so, is there a workaround for this? Maybe it is possible to block ip's who log in several times (>10 times) with a wrong password?

The requests are from different IPs each time.
Title: Re: Sessions time out
Post by: Illori on February 15, 2011, 06:05:42 PM
there are several posts in this forum about this issue, the best idea at this point is to upgrade to the latest 2.0 RC5 or 1.1.13
Title: Re: Sessions time out
Post by: Steephh on February 15, 2011, 06:12:39 PM
Hmm it looks like you are all right! Well, we need to upgrade then! :P Thanks for all your advice!
Text only | Text with Images