Guest session ID is too long for IPv6 users [2.0]

Started by MegaBrutal, January 19, 2023, 09:00:01 PM

Previous topic - Next topic

MegaBrutal

One of my users reported that they can't reset their password because they get a database error.

I finally reproduced the problem, it turns out it only affects users visiting through IPv6.
The following message appears in Error log:

Database error: Data too long for column 'session' at row 1
File: /Sources/Subs.php
Line: 2780

On the referred line, SMF attempts the following SQL query:

                $smcFunc['db_insert']($do_delete ? 'ignore' : 'replace',
                        '{db_prefix}log_online',
                        array('session' => 'string', 'id_member' => 'int', 'id_spider' => 'int', 'log_time' => 'int', 'ip' => 'raw', 'url' => 'string'),
                        array($session_id, $user_info['id'], empty($_SESSION['id_robot']) ? 0 : $_SESSION['id_robot'], time(), 'IFNULL(INET_ATON(\'' . $user_info['ip'] . '\'), 0)', $serialized),
                        array('session')
                );

Because the error message says that the value is too long for the `session` column, I checked `smf_log_online` and found that `session` is a VARCHAR(32):

MariaDB [test]> DESCRIBE `smf_log_online`;
+-----------+-----------------------+------+-----+---------+-------+
| Field     | Type                  | Null | Key | Default | Extra |
+-----------+-----------------------+------+-----+---------+-------+
| session   | varchar(32)           | NO   | PRI |         |       |
| log_time  | int(10)               | NO   | MUL | 0       |       |
| id_member | mediumint(8) unsigned | NO   | MUL | 0       |       |
| id_spider | smallint(5) unsigned  | NO   |     | 0       |       |
| ip        | int(10) unsigned      | NO   |     | 0       |       |
| url       | text                  | NO   |     | NULL    |       |
+-----------+-----------------------+------+-----+---------+-------+

The session ID is constructed here:

        // Guests use 0, members use their session ID.
        $session_id = $user_info['is_guest'] ? 'ip' . $user_info['ip'] : session_id();

With an IPv6 address, this value may easily exceed 32 characters.

I'm using the IPv6 Support mod. I tried to remove it because I assumed built-in IPv6 support of SMF has fleshed out by now and I don't really need this mod, but turns out I do – when I remove it, SMF stops showing, and probably even logging IPv6 addresses. Now that the mod is marked as outdate, I don't know what should I use to enable full IPv6 support. I hope if I upgrade to SMF 2.1 one time in the future, I won't need any mod for IPv6; but for now, I have to live with this. Still, it would be great if guest session IDs would be generated by other way, or the `session` field would be extended.

Quote from: Software versionsSMF: 2.0.19
DB: MariaDB 10.5.18-MariaDB-0+deb11u1 Debian 11
PHP: 7.4.33-1+deb11u1
Webserver: 2.4.54-1~deb11u1
Despite this.
I feel obligated to suggest.
Should you choose to create this world once more.
Another path would be better suited.


Diego Andrés

Doubt it will be fixed.
But you can just update the size of the column, SMF 2.1 uses 128.

SMF Tricks - Free & Premium Responsive Themes for SMF.

Advertisement: