getting hit by 'Session verification failed'

[lorth]

hi,

since a couple of days i and a lot of my members getting hit by the nasty

Koodi [Valitse] Laajenna

Session verification failed. Please try logging out and back in again, and then try again.
bug.
it happens on a lot of occasions, writing PMs, posting, logging in, logging out...
also noteably that especcially logging out did nothing here, in contrast to what the error message suggested, which left a lot of my member really confused.

i searched this fine forum for help, found a lot of threads from some month ago, tried a lot of proposed solutions, but nothing worked out well.
i tried:

• log in, but NOT check "remember me"
  
• logging in without "session forever", i.e. 60 minutes
  
• emptying out [mysql TRUNCATE] smf_log_online and smf_log_errors and smf_sessions
  
• changing the cookie name of the forum
  
• deleting the cookies in my browser
  nothing helped even a bit.
  
  the only thing which had any effect so far was commenting out the hole checkSession() function in Sources/Security.php
  this fixed it for 2 PCs at once for a member of me, i enabled the check again, got hit again, disabled it block by block, nothing worked, disabled it in hole again, the bug went away. for me, the member i tested with, and failed logins in the errorlog went back to a normal number too.
  
  obviously, i would be really interested in a solution which does not leaves my forum open for bad things like session hijacking or similar kind of games.
  
  
  i saw a good handfull or two of postings by smf staff declaring that this is not a bug in the smf software - which i do think is the case, considering that a change in the code is the very difference between "bug on" and "bug off".
  
  i am open to any suggestions to try to make this go away and preseving my forums security in the same time.

[SlammedDime]

Link to your site and a PHPinfo file would be the best thing at this point.

What is a phpinfo() file?

[lorth]

i would prefer not to link to it.
phpinfo: -snip-

[SlammedDime]

Can you at least PM me a link to your site if you don't want to post it publicly?  The php settings look okay for sessions, so we'd just be taking shots in the dark without actually seeing the site and reproducing it real time.

[lorth]

well, as a last resort, yes.

in the meantime i would be happy to try everything else.
beside the fact that the sessioncheck is still completly disabled and you would not get bit by the bug, it had happened to a handfull of users again and again, while most just got away and could use the forum normally.
i also wonder what you could do beside confirming the existence of the bug or not, depending on if you get hit or not.

i forgot to mention, it seems to not be bound to a specific browser, it hit me with firefox 5 and chrome, the member i was referring to earlier was using two different (sub)versions of the firefox 3.6.x branch.

[SlammedDime]

You can try disabling database driven sessions and see if that helps.

Whether the session check is turned off or not won't make a difference to me in looking at your site, I'm more interested in examining the URLs that contain the session information, as well as the HTML that contains the post data with session information to see how often it might be changing.  Also taking a deep look at the cookie details, such as the domain and paths being set in the cookie, as well as the PHPSESSID and the data contained in SMF's cookie would help as well.

Regardless, i found the URL to your forum, played around a bit, it looks like the session information is transferring around correctly, the cookies are being set right and contain the right data.  Does this happen after someone has been sitting at their browser for a while on the same page, perhaps making a long post or PM, or clicking logout after having the browser open for 10 minutes or more?  Or does it happen when actively using the forum?

[lorth]

whoops, i just noticed a new user with an us based ip and banned him instantly.
was that you?
...do you still need the account? ^^

i dont know about the most of my members getting hit by this, i am happy if they manage to tell me they are affected. :|
the first one to report this told me it happened "while sending a PM", but i dont know how long the text was, or how long the window was used.
to me personally it mostly happened while actively browsing, but also sometimes when i reused an open tab in my browser.

i forgot to mention that i run a 1.1.14 install, would it help if i provide a list of the installed mods?

[capitalw]

whoops, i just noticed a new user with an us based ip and banned him instantly.
was that you?
...do you still need the account? ^^

i dont know about the most of my members getting hit by this, i am happy if they manage to tell me they are affected. :|
the first one to report this told me it happened "while sending a PM", but i dont know how long the text was, or how long the window was used.
to me personally it mostly happened while actively browsing, but also sometimes when i reused an open tab in my browser.

i forgot to mention that i run a 1.1.14 install, would it help if i provide a list of the installed mods?

A list of mods would help, especially any that deal with IP addresses.

I unfortunately have a dynamic (very dynamic) IP address due to having cellular broadband as my only non-dialup option. Living in an area with a weak signal, I loose and regain data connections several times an hour and some online apps (such as forums) will kick me if my IP address changes between my starting a post and hitting "Post". So this is why I specifically asked about IP oriented mods.

[lorth]

i dont know about my members, but i got hit without any ip changes on my side.
i am pretty sure this is true, because i run a little server at home which (along with all my other sites) get checked by 2 "is your server up"-services, and i didnt got any email notices in the relevant time frames.

here is a list of all the installed mods:

Koodi [Valitse] Laajenna


1. Users Online Today Mod 1.4.0
2. Topic Member Post Count 1.1.5
3. Menu Buttons 1.1
4. Mibbit Ajax IRC Chat Mod 1.7
5. Hide Info Center From Guests 1.0
6. TopicStarter Mod 1.6
7. User Email System 1.3
8. Aeva ~ Auto-Embed Video & Audio 7.1
9. Spoiler BBCode 1.1.3
10. Post PM 1.0
11. Your Last Visit 1.1
12. Top 10 Posters and Topic Starters Stats (Today, Week, Month, and Year) 2.5.2
13. Registered Links 3.0
14. Topic Count in Profiles 2.0
15. reCAPTCHA for SMF 0.9.8
16. Book of Unknown Action 1.0
17. Look But No Read 1.3
18. Hide SMF Version 1.0.6
19. Hide Unused Profile Display Fields 1.0
20. Spiders Don't Increase Topic Views 1.1.1
21. Search Focus Dropdown 1.51
22. Auto Refresh Who Index 1.0
23. SMF 1.1.14 Update 1.0
24. Highlight Search Keywords 1.23
25. NoFollow All Links 1.2.1
26. Version Emulate Dropdown 1.1
27. Member posts recount 0.5
28. Hide Signatures from Guests 2.0

[lorth]

i have reenabled the sessionchecks and patched the error.template to log some more data to file than what would appear in the errorlog in the admincenter.

one member got hit again quite instantly, but that could be resolved by deleting the browsers cookies.

i will update this when i have more detailed data to nail it down.

[SlammedDime]

Have you disabled database driven sessions?  Might be worth a shot..

[lorth]

thanks for the reminder, i totally forgot about that.
i did disable them just now.

[digit]

Have you disabled database driven sessions?  Might be worth a shot..

My members have been reporting quite a few "Session verification failed" messages lately too.

I have a VERY large forum, and before trying to disable database driven sessions, I would like to know..  is there any downside to disabling database driven sessions?

Will this log out my members?

Thanks.

p.s.,  I'm running 1.1.14 with a ton of manually installed mods.

EDIT : LOL!!!  I just got that message posting THIS HERE!!!!!  Hitting post button a second time...

HMMM...  this is interesting...   

My members complain that they take a lot of time to post a message, but when they get the error and try to go back, the post form is empty - so they lose their posts (I can understand the frustration!!!) 

I think in 1.1.14, members get a another page with the error message....

HERE, it looks like the preview post doohickey - where the error appears above the current message post page....  with your post still intact.

IS there a mod that would do the same for 1.1.x?  So even if there is a session error - users don't lose their post?

Thanks again

[lorth]

Have you disabled database driven sessions?  Might be worth a shot..

i tried it and got hit again by the bug within minutes.
also, this time deleting cookies seemed to have worked for every member i told to delete the cookies.
still s ******ty solution, because it logs the members of from the forum.

I have a VERY large forum, and before trying to disable database driven sessions, I would like to know..  is there any downside to disabling database driven sessions?

there is a infotext (popup) right to the setting in the admincenter.

Will this log out my members?

i dont think so.



as for the more detailed log i hacked together:
it seem the bug hits users like everywhere:

• posting PMs
  
• posting in the forum
  
• logging out
  
• logging in
  
• register
  
• delete own account
  
• accessing the admincenter
  
• accessing the forums errorlog
  
• setting which theme to use
  
• marking boards as read
  
• sending password reminders
  this is pure horror.
  
  beside the fact that i think it is just braindead to disable sessionchecks at all... i did it again.
  i really need a forum which does not drive users crazy. or away.
  
  
  any and all hints, tips, tricks, possibillities, questions, ideas are welcome.

[lorth]

bump

[lorth]

updated my forum to v2.0, no complains about session error by my members so for.
will open a new thread in the 2.0 support board if needed.