Strange User Log Out issue

[Speakman]

Hey SMF


a few of my users have been auto-logged out over the last 4 or 5 days, which i suspect has been a cookie issue. as such, i have gotten everyone to delete and renew to a fresh authentication cookie with a different name and time-out option set, although most of my users use the stay logged in forever feature.


now whether the users are absent long enough for that time-out option to take effect or not i'm not sure, but i suspect that its a stranger issue than that.

So, to be sure, i am asking here of anyone has ever had a similar issue or not, and how it was fixed. I am also after the default settings for the cookies, so that i can make sure i set everything back up right. I'm kinda worried that i may have accidentally changed something.

Currently have "Enable local storage of cookie" checked, "Use Subdomain Independant cookies" unchecked, "use database driven sessions" checked, "allow browsers to go back to cached pages" unchecked. everything seemed to work fine from april 2010 till last week, when i was last in Administration settings and the issue starting. I haven't installed any new mods in quite a while, so i'm fairly sure it wasn't that


SMF version 2.0 RC3
Black Rain Theme
PortaMX 0.980 (i think thats the version)
Youtube BBCode
Dozen Pages Mod

and a couple of other minor ones.


any help here will be greatly appreciated, as my users are getting a bit annoyed at the slight inconvenience


Thanks,

Speakman

[Arantor]

This has been noted many many times on this forum in the last few days. SMF forums are currently under attack from bots trying to swipe passwords by brute forcing the accounts.

Due to the behaviour before 2.0 RC4+security patch, or 2.0 RC5 (from which the security patch for RC4 was made), users would be logged out when that happened, and this is what's causing the logouts you're seeing.

[Neek]

while we're on the subject what's the difference between "Default login cookies length (in minutes)" and "Seconds before an unused session timeout"?

i left them at defaults but i still get logged out after some time even if i check "always stay logged in" when i login

[Arantor]

The default login cookie length is how long a user will stay logged in for by default if another option isn't picked.

Session timeout length is more an internal setting, the default is fine in nearly every case.

As I pointed out above, your being logged out is almost never to do with the above settings but related to the attempts to attack forums.

[Speakman]

Thanks Aranator for the response. definately explains a lot

[Game.ruler]

My users n i also faced this prob. But sometime wen i open http://mysitename.com it show me logged out but wen i open any page it show me logged in.

[Arantor]

Game.ruler, please open a new topic with more details about the problem, in particular the actual URLs in question that are affected.

[Storman™]

This has been noted many many times on this forum in the last few days. SMF forums are currently under attack from bots trying to swipe passwords by brute forcing the accounts.

Due to the behaviour before 2.0 RC4+security patch, or 2.0 RC5 (from which the security patch for RC4 was made), users would be logged out when that happened, and this is what's causing the logouts you're seeing.

Many thanks for that Arantor.

Are we saying then that this would only affect RC3 forums ? Are RC4/5 implementations immune to this type of attack ? I ask because the users on one of my RC3 forums have reported getting logged out frequently in the past week or so. Like most sites we have exploits aimed at us on a daily basis so it's difficult to say if this is a bot undertaking the activities you describe or something else.

Has anyone else had this issue ? I'm planning on upgrading to RC5 but haven't finished my testing yet, and I'm reluctant to be an earlier adopter of new releases.

[Arantor]

The bot attacks are happening on SMF forums, on phpBB forums and so on.

RC4 users who installed the special patch, as well as 2.0 RC5 users and 1.1.13 users do NOT have the logout problems, though they DO have the hack attempts going on.

Any version before 1.1.13 / 2.0 RC5 without security patch will have the issue where a failed password attempt on a user account will log that user out.