News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Logged in forever and it keeps logging members out.

Started by mcaswe, February 12, 2011, 08:49:59 PM

Previous topic - Next topic

roonekoos

Quote from: Goad on February 16, 2011, 10:06:10 AM
So I have counted a handfull of people now having this issue (including myself) and seems like everyone who isnt having the problem is taking jabs at what to do to fix it.

I am using RC4 (not patched yet) and I have renamed my cookies but I am still having the problem.

Someone said they did the security patch, but still has the problem.

I read on another thread that someone who upgraded to RC5 is still having them problem.

Also, I am not changing my settings to local storage of cookies. The current settings should work.

Sounds like this is a major problem effecting multiple people. Can we get someone from SMF to look into this issue?

Thank you!  ;)

I am one person that have the security patch installed and it do not work at all, my forum was still attacked big time.
I have added the deny ip adresses and that stop them but daily new ip spam adresses are coming.

Can the SMF support maybe create a fix patch for this?

Cheers!
German Shepherd Forum (Dutch)
http://duitseherderforum.com/

Illori

people are still being logged out with the upgrade? or you are still seeing the incorrect password messages in your error log?

Arantor

-sigh-
The patch doesn't prevent the attempts and the errors. It just prevents you getting logged out.

Goad

Quote from: Arantor on February 16, 2011, 10:24:52 AM
-sigh-
The patch doesn't prevent the attempts and the errors. It just prevents you getting logged out.

-SIGH!-

are you not reading? several people are saying they are still getting users logged out AFTER they have patched.

Arantor

Very likely the patch was not properly installed then - the behaviour stopped on the 4 forums I admin that are affected, and on numerous other forums as well.

Having actually looked at the code changed, too, and knowing why the change was done the way it was (in two halves, ah the joys of SVN access), if they're being logged out now, the patch wasn't applied properly or another mod is affecting it, which is much more likely.

Norv

Goad,
We need to know as many details as possible, please. Were those users logged in as 'forever'? Did you experience it yourself? You say above you didn't install the patch, did you in the meantime?
Thank you.

roonekoos,
Quote from: roonekoos on February 16, 2011, 10:16:33 AM
I am one person that have the security patch installed and it do not work at all, my forum was still attacked big time.
I have added the deny ip adresses and that stop them but daily new ip spam adresses are coming.

The patch addresses the issue of authenticated users getting logged out by the attempts made by bots against their account. It cannot stop bots from trying.
You may want to look into mods like httpBL or login security, to address the attempts.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Goad

I have not once experienced the problem with my account on my forum, but I have many people complaining about it.

I just applied the patch and told people to let me know if at all they are still experiencing the issue.

I am not one of the people (yet) who are still having the problem after the patch, but there are others who are

roonekoos

Quote from: Norv on February 16, 2011, 10:33:07 AM
Goad,
We need to know as many details as possible, please. Were those users logged in as 'forever'? Did you experience it yourself? You say above you didn't install the patch, did you in the meantime?
Thank you.

roonekoos,
Quote from: roonekoos on February 16, 2011, 10:16:33 AM
I am one person that have the security patch installed and it do not work at all, my forum was still attacked big time.
I have added the deny ip adresses and that stop them but daily new ip spam adresses are coming.

The patch addresses the issue of authenticated users getting logged out by the attempts made by bots against their account. It cannot stop bots from trying.
You may want to look into mods like httpBL or login security, to address the attempts.

First of all thanks for the quick answers.
If you guys say that the patch is good I assume it is, I am not an expert on that.

I had installed the patch succesfully without errors or manually modifying.

I will try a login security mod and hopefully I can kill the attack attemts.

Do you have a recommendation of a mod I can use best?

Thanks and cheers!
German Shepherd Forum (Dutch)
http://duitseherderforum.com/

Clara Listensprechen

Quote from: Arantor on February 12, 2011, 08:53:32 PM
There are two things it could be.

Firstly, prior to 2.0 RC5 (or 2.0 RC4 with the security patch), if someone tried to log in as you and failed, you would be logged out.
Checking into this thread because I've recently had the same OP problem on my board (logged in forever but still get logged out) and a check of my Forum Error Log indicates that a number of strange IP Guests have been trying to log on as me.  I've banned each one and I've stayed logged in, discovering thereby that there's nothing wrong with the SMF software but just a bunch of hacking attacks.
Secondly, it could be a cookie/session problem. See about the first one first though.
I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

Arantor

It's a bunch of hacking attacks, lots of bots doing it. But prior to 2.0 RC5 / RC4 patch, those attempts would also have the side effect of logging out genuine users, which banning by IP does prevent - until they change IP address again.

Clara Listensprechen

#50
Quote from: lukeolding on February 16, 2011, 06:25:30 AM
Is it possible to install rc5 whilst my old version is still in use, ie. can i install rc5 into another directory then once install complete, i can look and edit the new version.  Once I am happy with it then change the directory's so Rc5 is the defualt.

Thanks

Luke
Ya, I'd like an answer to this too. I just upgraded and lost all my mods, so I'd like to take the upgrade offline until I can iron all the !#%$*@!! kinks out and get the new version operating with the same features and customizations the old one operated on.  I gotta re-do old research all over again and it's not something I can do in 5 minutes.

I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

Clara Listensprechen

Quote from: Arantor on February 16, 2011, 06:08:34 PM
It's a bunch of hacking attacks, lots of bots doing it. But prior to 2.0 RC5 / RC4 patch, those attempts would also have the side effect of logging out genuine users, which banning by IP does prevent - until they change IP address again.
True--they're famous for IP spoofing, for sure. I just installed that force email login thingie to save myself from banning every spoofed server in existence.
I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

jezinho

Assuming the bots IP is in their database, do any of the two mods mentioned in this thread completely block the hack attempts of existing user accounts, or do they just block registering new accounts from that IP?

Stop Spammer: http://custom.simplemachines.org/mods/index.php?mod=1547
httpBL: http://custom.simplemachines.org/mods/index.php?mod=2155


I know, installing the security patch / RC5 will stop users getting logged out, but somehow I still don't like bots endlessly trying to hack into forum accounts...

Arantor

The patch in my sig has had 100% success at blocking this bot attack.

rgecy

I am running 2.0 RC 2 and having this same issue personally.  I will be logged in and click on a post to read and it will log me out.  Or I will hit the reply button and sit for a few minutes, less than five, and when I hit the post button, it will say that your session has expired.

I have had several other users report this as well. 

what do I need to do if I am running RC 2?  Can I emulate RC 4 in this version?

Thanks

RGecy

Arantor

You should just upgrade, to be honest. Using the security patch on RC3 is one thing, but using it on RC2 is really not recommended even if it might work (I haven't tested). There are multiple vulnerabilities in RC2 that were fixed in RC3.

rgecy

I have so many mods I think it would just be a nightmare right now!

Pinball Nation

I had this same problem last week.I installed this mod http://custom.simplemachines.org/mods/index.php?mod=1665 I have not had any problems since.I was using RC3 so i had to go to his site to get the version i needed.I hope this helps.

thing2

I successfully upgraded to RC5 and haven't had any of my users saying that they are being logged out, have seen that there are still logs for unsuccessfully logging in for users so they are still hitting us

Arantor

Quote from: thing2 on February 23, 2011, 07:07:08 PM
I successfully upgraded to RC5 and haven't had any of my users saying that they are being logged out, have seen that there are still logs for unsuccessfully logging in for users so they are still hitting us

No-one said that the upgrade would magically prevent the bots trying to guess your members' details. See the thread in News and Announcements for suggestions on what you can do about it.

Advertisement: