Session Verification in RC 5

[MistaObvious]

I'm currently in the process of setting up a new gaming website.  Premise is simple, most everything is based around forums and I'll add features later for anything additional that might be required.  I've been successfully using SMF on another website that I've upgraded from 1.0.3 or so right up through RC4 and everything seems to be running like a top.

So I installed RC5 for this new website using a complete install package from the downloads section here (as opposed to using anything I might have backed up on my hard drive).  During installation I selected the database driven sessions option.  After the install I was automatically logged in (straight from the install script to the index page there was no need to log in).  If I tried to access the admin I would receive the same session verification error that others have reported in the past.  Since it told me to, I would then try logging out only to receive the same error.  After deleting any cookies I'd be logged out.

This is where things become odd.  Regardless of how I would attempt to log back in I would receive a wrong password error (using the login at the top of the page or by pressing the login link and logging in that way).  The next attempt would be fine.  If I then click on the admin link I would go right to administration without having to verify my password.  If I wait at all, however, I would in fact be required to verify my password as I'm supposed to.  Problem is that the verification would again turn up the session verification error.

I've tried every suggestion I've come across on these forums.  I've changed the cookie name, used the repair_settings file, deleted everything and reinstalled, etc.  With all this frustration I looked around for a different forum/cms solution as it appeared this is something that's either broken on my end or broken in the package itself.  Problem is, SMF is the only solution for me.  LOL  Anyway, so here on my fifth try at installing SMF I came across the same problem.  However, this time when I was able to finally get into the administration I turned off database session handling.  Now everything's working as it should.

Oh, and I should also point out that the built-in visual verification doesn't show up regardless of the settings while using the DB session handling.  There's just no image whatsoever.  Turn off DB session handling and it works just fine like everything else.

So, yes, I've found a solution.  At least for some, another possible solution.  But I thought some of the devs might be interested in seeing what's up with this and perhaps at some point patching it.  I know there's been a lot of security issues that have come up over the last couple years that have caused many changes to be made with session handling or login processing, so my thought is that something might have been accidentally broken in the process of making things more secure.  Who knows?  Anyway, I'd like to help.

The forums in question (which are currently working) are at hxxp://www.allaboutthefight.com/index.php
I've set up a phpinfo page at hxxp://www.allaboutthefight.com/smf_info.php so you can see the environment this is all installed on.  If there's anything else I can do to further help, let me know.  I don't mind even setting up an ftp account with a db so one of the devs can give it a shot and see what I've seen.  But I'll cross that bridge when we come to it.

EDIT: On further investigation, if I now re-enable DB session handling everything works fine.  So it seems if the issue comes up the solution would be to turn off DB session handling, give it a run around the block without it and then turn it back on and all should be fine.

[MistaObvious]

I'm surprised no one's that interested in this issue.  Having noticed that you're considering moving to "gold" soon, I would think that something like session verification would be a topic of particular note.  Granted, the problem being limited to a small percentage of installations doesn't exactly scream out "something needs to be done".  However, if you've encountered this issue, you might notice this as being a particular problem for a user of such a forum.

Reason I'm posing back and making such a fuss out of this is because my last edit seems to have been mistaken.  Re-enabling the DB session handling doesn't actually fix anything.  At first everything seemed fine, but after a while the problem re-presents itself.  Considering the site I'm using these forums on is new, this is a major issue if it continues as I'm looking to attract new visitors to my site.  As you may or may not be aware, something as annoying as session verification errors is very likely to turn off any new visitors who aren't already loyal to the community.

Now, granted having turned off DB session handling you might consider this a resolved topic, but I'm sure most are aware that down the road this could potentially be a problem for performance.  I'm just really hoping that someone would be willing to look into it and recognize it as an issue that needs resolving.  If not today, at least reasonably soon so that not only can I improve the handling of my site, but others can avoid the issue altogether.

[Aleksi "Lex" Kilpinen]

Sorry no one's cought this topic earlier - Do you have any real idea on what exactly could be the cause of this?
Have you tried if 2.0 Final has the same issues for you?