Session Verification Failed=cannot enter forum

[iaccountant]

Searched community and google and found some threads, but there seems to be no fixed solution and I cannot even get into the forum to check things

But here goes

Found I could not get into the index page this am. Got an error that said server\cpu load was maxed out ( site was hittong cloudlinux resource limit set in server" ) and disallowing entry and to try again later. Found in Cpanel that indeed the CPU and number of processes had maxed out

So I had my my web host check and they found lots of "hanging processes" at the index page (public_html/*****.ca/forum/index.php ) which they cleared out...then restarted Apache

Found I could then get into my index page, but then I could not get into the forum

First time the process just spun on and and I stopped the browser

Second time (and since)_I actually got "session verification failed" message and have not been able to get in at all

Anyone else run across this?

In the meantime, in Cpanel, the CPU usage has climbed again to 100%

And when I check the forum directory, the last "error catching" message in settings .php was        db_last_error = 147504220

Also checked the db in Cpanel and it reported no errors


Particulars of setup

Apache 2.4.34
PHP 5.6.37
MySql 5.5.59
SMF 2.0.15

[Sir Osis of Liver]

Have you or your host run a security scan on your account?

[iaccountant]

Not that I know of

I have not yet received any news back from them after indicating that although I have now been able to access my log in page, I cannot get in. Waiting for some info back

But I expect they will say it is an SMF issue...dunno. Do have a good host so ...

Do you think it is a hacking attempt???

[drewactual]

i'd be looking at whatever is consuming that much resource from your machine, too... do you have rotating adverts or banners on it?  they could have injected some sort of script that is working overtime on your dime.

[iaccountant]

Nothing of the sort

It is as plain vanilla a forum as can be...intentionally. Only mods are Articles and Knowledge base...neither one seems to be an issue

BTW I have more SMF forums...been looking at it now too....the other one I can sign into, but it seems I can't post (like an earlier posted issue) then seems I can't sign out

Get this when I try to post
The following error or errors occurred while posting this message:
Your session timed out while posting. Please try to re-submit your message.

So I expect there is an issue with the hosting end

[drewactual]

do you use memcache as a sessions handler?

[iaccountant]

See one earlier post too...re other forum I run

what is memcache and where would it be located??? (did google it===seems to be something host would use)

BTW== just tried logging in via my tablet. Got in, but then when I tried to access admin section 9was going to look at error log first) , I got "kicked out" and asked to re enter password. When I did that, all was as before==ie, session verification fail"

[drewactual]

it's just a mechanism to handle sessions in a manner that doesn't have to write and rewrite flat files... it holds it in suspension... disregard...

if i were you i'd put the forum in maintenance mode and restart the http service... you can do so by editing your Settings.php file and following the directions there... if your resources are still being consumed, it isn't SMF that's doing it... it's something else...

[iaccountant]

Yes...as per above, the forum that flagged the issue seems to not be the only one with problems...so I gather it is most likely a host issue...but then what could that be

(not to disregard changing settings file...but nor sure how to do that)

[drewactual]

it sniffs of a DDoS attack... you can ask your host to place the forum(s) in maintenance mode as i suggested (they'll know how), as well as ask them to harden your php.ini settings to protect you (beginning with limiting execution time allowed), and then wait it out.

[iaccountant]

Host now working at their end. I operate more than one forum...one main ione, a demo forum, then two that I set up that are not really "happening"

All of them have the same issue...and one of them is the last V1 version.

So IMO the issue is on the host server but not with SMF

Note I

1) researched via Google
2) researched this community
3) tried all 4 forums...with more than one device

Will keep community advised as things develop

[iaccountant]

So my host tried a few things to no avail

Latest message

Hello John,

The issue is only with the main and sub forum navigation pages for http://www.taxboard.ca/forum. The page is getting executed continuously. I can click on other pages and navigate, however the original page is still getting executed in the backend and the process is not getting terminated. This increase the resource usage and your other forums are also getting affected. I have now reduced the PHP time out value so that the server can terminate the process without affecting the overall resource usage.

I verified the backend process that is running continuously. It is not trying to process anything. But it is not getting terminated too. It is just running continuously without performing anything.


In the meantime, another poster is having similar but not idential problems and the suggested solution that seemed to work was here
https://wiki.simplemachines.org/smf/Login_error_2.0.14


Don't want to mess with things unless I am sure because really, I know just enough to be dangerous.

I know I can simply try it to see if it works....but as the problems are not quite idential, would like some input from someone who knows

So

[Sir Osis of Liver]

Have you or your host run a security scan on your account?

[iaccountant]

Thanks for chiming back in with the security scan suggestion. The answer is not that I know of. I do know they spent time nosing around and said they eliminated any issue at the server level....leading me back here and to the "patch" possibility...

but I will forward that suggestion to them in the morning. Thank you

[shawnb61]

Random thoughts... 

Have you taken a look at your redirects?  Maybe in .htaccess, maybe in index.htm...  I would look closely at both, if they are there.  Maybe something there is getting caught up. 

Also, how long has your forum been around?  When did it become unstable?  How long have you been on that host?  Who is the host...  Understanding some history might help. 

[iaccountant]

Just got scan report and no issues

Have had no look around inside SMF fiolders or files except for a quick check in the root and I did look at I thing it was the Config.

Problem appeared just about a week ago now. It's a tottaly vanilla forum with only the Knowledge Base and Articles mods. Kept both up to date so running .15

They did say the real issue was at the taxboard.ca gate

I've been running this forum since V1 some time, about 10 years now.

All with the same host, Canadian Web Hosting. Solid, redependable, reputable etc

Not sure what I'd be looking for in either .htaccess index files

[iaccountant]

Any more ideas?

I want to try the "patch" i linked to, but want a bit more guidance there before i start to mess around with the plumbing as I have only a rudimentary knowledge of php.

First thing to note is that I have no alternate themes, so perhaps I am OK and what is necessary is already in that file.

I did check the index.template.php to see where to insert the patch and I found it is actually a v2.0.14 index template while the login.template.php seems to indicate it is v2.0,15

I also cannot find the " </form> tag in the index.template.php ,,,,,did find one in the login.index.php...and found no reference to the patch line there...so there is likely where I need to copy the patch line(s)   (one answer calls for both, one for the second line only

<input type="hidden" name="hash_passwrd" value="" />
<input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />


Before I try this, I would be far more comfortable having a knowledgable SMF person nearby

[iaccountant]

Something else I did

Unloaded two forums I was not really using, leaving only 2 of them to worry about...both are 2.0.15 plain vanilla forums\thems. Only mods are Knowledge base and Articles for ONE and Knowledge base for TWO

Then I went into the database using myphp admin to make sure the global cookies and local cookies were set to "0" in the db Settings per another suggestion. What I found was that in the ONE, which I started way back with 1.6 or so, only had a setting for Globalcookies (was set at 1) , while forum TWO, which was set up later..and as recal "natively" in V2, I did find both globalcookies and local cookies settings. Both were at 1 and I set them to 0.

At this point, entry to ONE still handgs, while I now get a new message at TWO that says 

An Error Has Occurred!
Unable to verify referring url. Please go back and try again.

[Sir Osis of Liver]

index.template.php -

Code Select Expand



// Otherwise they're a guest - this time ask them to either register or login - lazy bums...
elseif (!empty($context['show_login_bar']))
{
echo '
<script type="text/javascript" src="', $settings['default_theme_url'], '/scripts/sha1.js"></script>
<form id="guest_form" action="', $scripturl, '?action=login2" method="post" accept-charset="', $context['character_set'], '" ', empty($context['disable_login_hashing']) ? ' onsubmit="hashLoginPassword(this, \'' . $context['session_id'] . '\');"' : '', '>
<div class="info">', sprintf($txt['welcome_guest'], $txt['guest_title']), '</div>
<input type="text" name="user" size="10" class="input_text" />
<input type="password" name="passwrd" size="10" class="input_password" />
<select name="cookielength">
<option value="60">', $txt['one_hour'], '</option>
<option value="1440">', $txt['one_day'], '</option>
<option value="10080">', $txt['one_week'], '</option>
<option value="43200">', $txt['one_month'], '</option>
<option value="-1" selected="selected">', $txt['forever'], '</option>
</select>
<input type="submit" value="', $txt['login'], '" class="button_submit" /><br />
<div class="info">', $txt['quick_login_dec'], '</div>';

if (!empty($modSettings['enableOpenID']))
echo '
<br /><input type="text" name="openid_identifier" id="openid_url" size="25" class="input_text openid_login" />';

echo '
<input type="hidden" name="hash_passwrd" value="" />
<input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />
</form>';
}



This is from default Curve.  Not all themes have a header login, so you may not find it in a different theme.  The session check was added in 2.0.14, and will only be missing in custom theme index templates.  If you're running default Curve and don't find the </form> tag, the code has been modified.  Have you tried doing a clean install?

Ok, just found the link to your forum, header login has been removed so there's no code to fix.  This code should appear in three places in Login.template.php, if it's there, you have a different problem.

Code Select Expand



<input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />



[iaccountant]

This is what that section looks like in my themes\default\index.template.php...so pretty much as expected. NOTE THAT COMES FROM THE Themes\default folder and its file.

The code was MISSING in my themes\core\indextemplate. php file and I added there. This was the case in both my forums

No change to forum ..ie, cannot get in


in main forum  Still got the session verification issue, now just hangs when I try to get to forum/index

in second forum I get this message   Unable to verify referring url. Please go back and try again.


This is what it looked like in the themes/default/

Code Select Expand


// Otherwise they're a guest - this time ask them to either register or login - lazy bums...
elseif (!empty($context['show_login_bar']))
{
echo '
<script type="text/javascript" src="', $settings['default_theme_url'], '/scripts/sha1.js"></script>
<form id="guest_form" action="', $scripturl, '?action=login2" method="post" accept-charset="', $context['character_set'], '" ', empty($context['disable_login_hashing']) ? ' onsubmit="hashLoginPassword(this, \'' . $context['session_id'] . '\');"' : '', '>
<div class="info">', sprintf($txt['welcome_guest'], $txt['guest_title']), '</div>
<input type="text" name="user" size="10" class="input_text" />
<input type="password" name="passwrd" size="10" class="input_password" />
<select name="cookielength">
<option value="60">', $txt['one_hour'], '</option>
<option value="1440">', $txt['one_day'], '</option>
<option value="10080">', $txt['one_week'], '</option>
<option value="43200">', $txt['one_month'], '</option>
<option value="-1" selected="selected">', $txt['forever'], '</option>
</select>
<input type="submit" value="', $txt['login'], '" class="button_submit" /><br />
<div class="info">', $txt['quick_login_dec'], '</div>';

if (!empty($modSettings['enableOpenID']))
echo '
<br /><input type="text" name="openid_identifier" id="openid_url" size="25" class="input_text openid_login" />';

echo '
<input type="hidden" name="hash_passwrd" value="" /><input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />
</form>';

===========================================================


Will look again, but I can only find this code once in that file

<input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />

==============================================================

What about my missing database field for localcookies? Could that be the issue?

===============================================================

Summary of my internal changes

Used MyPHPadmin to check database setting for both to implement suggestion to set cookies values to zero for both global and local cookies. NOTE that local cookies variable was missing from my main forum database...the one that started way back with V1.6....so that could be an issue

Added above code string to indextemplate.php in the themes\core folder where indicated.