Bizzarre user logins etc...

stompbox · April 28, 2018, 02:00:49 PM

After moving to a new server and also updating from 2.0.14 to 2.0.15, users have been seeing themselves being banned, or logged in with someone else's profile. This is all temporary as a click to read the forum etc... will correct itself. I myself have been logged in as someone else. It's usually the last person logged in.

I don't remember this happening with 2.0.14 but I have also changed servers.
Any ideas on what this might be. It seems to persist - day to day with different users. It's somewhat harmless in that it fixes itself, but any ideas appreciated.

vbgamer45 · April 28, 2018, 02:02:45 PM

What is your caching settings set at in smf under server settings

Illori · April 28, 2018, 02:14:44 PM

usually this is an issue with server side cache like varnish, you would need to ask your host to disable it for your account.

stompbox · April 28, 2018, 08:03:27 PM

QuoteWhat is your caching settings set at in smf under server settings

Caching level: No Caching
memcache settings: blank

Illori · April 28, 2018, 08:05:11 PM

then as i said above you need to reach out to your host.

vbgamer45 · April 28, 2018, 09:14:58 PM

I agree yes server config issue.

stompbox · April 29, 2018, 02:10:19 PM

OK they said there is no caching. Any other ideas? Thanks

: There is no caching plugin installed. The caching plugin is available on the server but its only for Wordpess and your forum is not wordpress.

Illori · April 29, 2018, 03:09:44 PM

then they are lying to you. the only way for this to happen is with the use of server side caching.

GigaWatt · April 29, 2018, 04:45:11 PM

Do you have a backup of the 2.0.14 version? Of you do, test if this happens with the 2.0.14 version... although, as Illori posted, I doubt the problem will disappear with rolling back to 2.0.14. Don't roll back the database, only the files.

Aleksi "Lex" Kilpinen · April 30, 2018, 06:43:36 AM

Nothing between .14 and .15 changes in a way that would cause that. All the symptoms described are however familiar symptoms of a badly configured server side cache, such as Varnish.

GigaWatt · April 30, 2018, 07:34:36 AM

Yeah, I know... what I suggested was an attempt to persuade the OP that the problem is not the update itself, but a server side problem

.

stompbox · May 01, 2018, 07:49:03 PM

Does this help at all?
(from a user)
I was logged in
1) I tried to post something and it was taking ages to post. So I clicked on the forum link to move on.
2) I then became another user
3) I clicked a forum link again and I became banned but it reported me as a Guest.
4) I looked at my cookies and saw three cookies:
SMFCOOKIE923 which contained a long string with "percent coded" numbers etc.
which decoded to something like a:4:{i:0;s:3:"160"; ...
PHPSESSIONID
SMFCOOKIE923_ which contained 480

5) The SMFCOOKIE923_ looked dodgy so I deleted it. Then on the next click I was not banned and I was still logged in as myself. I posted this so it must be working!.
-----------
Edit: I logged out and logged in and I do not see the "SMFCOOKIE923_" cookie.

GigaWatt · May 01, 2018, 08:01:55 PM

Is that the cookie name of your forum (SMFCOOKIE923)? Have you tried changing it to something more adequate (not leave it so generic)? For example, if your forum is about horses and your URL is ponysandhorses.com, your cookie name should be something like "ponhorse"... or something along those lines.

Aleksi "Lex" Kilpinen · May 02, 2018, 12:54:51 AM

Do contact your host and make them double check Varnish is not active on your account.

lurkalot · May 02, 2018, 03:02:55 AM

Varnish doesn't show up on that site from what I can see. But if I have the correct site, it appears to be running wordpress as well which I believe can cause problems when running together, depending on how they are set up.

Kindred · May 02, 2018, 09:05:56 AM

oh yeah... if you have SMF running in a subdirectory to WordPress, then all sorts of bizarre things can happen, because WordPress (being the hog that it is) assumes that it is the only script running on the site and intercepts everything.

IIRC< it requires a modification to the wordpress default htaccess

stompbox · May 02, 2018, 11:41:58 AM

No Wordpress is in its own directory off of the public_html. I can try changing the cookie name. I left it with that name because repair_settings had it as the default.
I can try changing it but it seems like that wouldn't fix the problem.
What if I actually turned caching ON in the server setting for SMF?

Aleksi "Lex" Kilpinen · May 02, 2018, 12:03:02 PM

The cache in SMF is not a similar type of cache, it doesn't keep whole rendered pages in memory like Varnish does. SMF only holds some data it would otherwise repeatedly query from different sources. I'd say turning it on should have no effect really.

stompbox · May 02, 2018, 02:45:07 PM

Thanks! The mystery continues along with people being listed as being banned as well now. If they delete cookies, it all works.

GigaWatt · May 02, 2018, 07:03:40 PM

Have you changed the cookie name?

stompbox · May 02, 2018, 10:51:13 PM

Not yet. It was changed when I went with the default repair_settings.php - I will try and change it and see.

Aleksi "Lex" Kilpinen · May 02, 2018, 11:21:16 PM

Who is your host? Just out of curiosity.

stompbox · May 03, 2018, 12:37:29 AM

TrentaHost.

Aleksi "Lex" Kilpinen · May 03, 2018, 01:03:03 AM

OK, I don't know them so that didn't help much for now. Just thought if it perhaps was one we had seen before with a similar issue.

stompbox · May 03, 2018, 03:00:43 AM

OK, what is the significance of the _ (underscore) after the cookie. Check this out:
From a user and BTW I did rename the cookie.

1) I just started my browser and went to the forum (I didn't even get a chance to log-in)
Got Banned as guest.
Cookies:
SMFDIYCookie_ (content 362)
Only that cookie was present, there was *no* PHPSESSID cookie.
2) Exit browser
Started my browser and went to the forum (not logged in)
Cookies:
PHPSESSID
3) Logged-in
Cookies:
SMFDIYCookie
PHPSESSID
Forum all working.
-------------------

GigaWatt · May 03, 2018, 09:46:26 AM

Clear/purge the previous cookies from your browser's cache after you change the cookie name

.

stompbox · May 03, 2018, 02:07:28 PM

Most of the people having the problems are clearing the cookies. They have browsers that clear everything on exit. I don't get the ban part. Why would the forum ban "guest"? and what is up with the _ underscore on the cookie? Thanks!!!!!!

GigaWatt · May 03, 2018, 09:22:10 PM

I don't think the underscore in the cookie name matters... the cookie name can't contain white spaces so an underscore is used, a dash would also do the job. A dot is also probably not allowed. My forum's cookie name doesn't contain any underscores and everything is working OK.

Are there any bans by IP or IP range on your forum?

stompbox · May 04, 2018, 02:56:28 AM

But the underscore is added, it's not in the regular cookie name. We have noticed that whenever there's a ban - the cookie has an underscore added to it? Anyone know anything about that?
Yes I have bans by IP but not for guest.

Kindred · May 04, 2018, 08:36:15 AM

well, i would suggest not banning by IP. It's bascially useless anyway - and, if you want to ban an IP or range, using .htaccess DENY is better for performance.

GigaWatt · May 04, 2018, 07:24:59 PM

As Kindred wrote, banning by IP is a bad idea. IPs get reused all the time... it's pointless. Transfer the ban to a ban by username and/or email. I've had situations where no one from a whole company can't log in on a site because they share the same IP

, which was put on a ban list 5, 7, 10 years ago

. It's a waste of time, it can only generate more problems.

How did you update the forum to 2.0.15, by patching or by uploading a fresh set of files? Does this behavior also happen when using the default theme (Curve)?

Aleksi "Lex" Kilpinen · May 06, 2018, 02:34:04 AM

OK, I've been trying to visit the forum from different browsers, at different times - and all "oddities" I've encounter have been bans.
Please, to begin with go through your ban triggers and make sure you have no IP or hostname bans in effect - For example, any site using Cloudflare could inadvertently ban a majority of their users with just one or two IP addresses....

stompbox · May 09, 2018, 12:55:36 AM

No something else is happening. When the ban occurs, the name of the cookie always has an underscore on the end. Simply deleting that cookie will allow access. If you think about it, the IP is not changed. The ban is happening on people that always log out as well.

GigaWatt · May 09, 2018, 06:34:34 AM

Quote from: GigaWatt on May 04, 2018, 07:24:59 PM
How did you update the forum to 2.0.15, by patching or by uploading a fresh set of files? Does this behavior also happen when using the default theme (Curve)?

stompbox · May 12, 2018, 04:49:26 PM

I used the update via admin. It's still banning people but in all cases if you delete the cookie with the underscore they are ok after that. Does anyone know where to look at the cookie code that creates the underscore?

GigaWatt · June 06, 2018, 05:34:17 AM

Is the problem resolved, or are you still having issues. If you are, you could try a clean install of 2.0.15 with no mods or themes other than the default one, see if the problem is solved.

News:

Bizzarre user logins etc...