Short password timeout in Comments

Hang out, sip some ice tea, and shoot the breeze with TR regulars.

Moderators: emkubed, Captain Ned

Re: Short password timeout in Comments

Postposted on Wed Apr 02, 2014 5:13 pm

Okay guys, I had a breakthrough of sorts yesterday and managed to faithfully reproduce the conditions under which one would get logged out.

Just a few minutes ago, we implemented a tentative fix. Keep your eyes peeled, and make sure you log in with "Rememember me" checked.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Grand Admiral Gerbil
Silver subscriber
 
 
Posts: 10023
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Short password timeout in Comments

Postposted on Wed Apr 02, 2014 10:21 pm

That may have been the trick. It's been at least an hour since I checked the site and I even with through a reboot (after a game locked up the system.) Yet I'm still logged in.

Yes, still logged in this morning. Even through a browser update and restart. Looks like it's fixed for real.
nanoflower
Gerbil First Class
 
Posts: 191
Joined: Wed Mar 04, 2009 1:10 pm

Re: Short password timeout in Comments

Postposted on Fri Apr 04, 2014 9:43 am

You know what? I think you might have fixed it. I haven't been logged out in over a day. I've never made it overnight since the change, before.

*crossfingers*
willmore
Gerbil
 
Posts: 35
Joined: Wed May 28, 2008 11:08 am

Re: Short password timeout in Comments

Postposted on Sat Apr 05, 2014 7:44 am

And another. Fingers are still crossed.
willmore
Gerbil
 
Posts: 35
Joined: Wed May 28, 2008 11:08 am

Re: Short password timeout in Comments

Postposted on Sat Apr 05, 2014 10:15 am

Ssshh... be vewy vewy quiet...

Don't jinx it!
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Grand Admiral Gerbil
Silver subscriber
 
 
Posts: 10023
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Short password timeout in Comments

Postposted on Sat Apr 05, 2014 10:45 am

Quite the opposite, I'm doing all I can to break it. If it can resist that, then I'll agree it's fixed. :)
willmore
Gerbil
 
Posts: 35
Joined: Wed May 28, 2008 11:08 am

Re: Short password timeout in Comments

Postposted on Mon Apr 07, 2014 3:36 pm

Okay, no failures here since those earlier posts. Has anyone had any issues in that time frame? If not, I think we may be past this.
willmore
Gerbil
 
Posts: 35
Joined: Wed May 28, 2008 11:08 am

Re: Short password timeout in Comments

Postposted on Mon Apr 07, 2014 3:47 pm

I'm leaning towards that way as well, but last time I cried victory... we came across another bug :)
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Grand Admiral Gerbil
Silver subscriber
 
 
Posts: 10023
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Short password timeout in Comments

Postposted on Mon Apr 07, 2014 3:51 pm

Better a known bug without a solution and an unknown one--without a solution.
willmore
Gerbil
 
Posts: 35
Joined: Wed May 28, 2008 11:08 am

Re: Short password timeout in Comments

Postposted on Wed Apr 09, 2014 3:36 pm

Oh, drat. I just got logged out and, for the first time, it wasn't when I was idle. I refreshed a page at TR to see new comments tabbed to another TR article, refreshed it and I was logged out! It was a matter of seconds between the two refreshes and I didn't click anything on the pages, I just refreshed the windows.
willmore
Gerbil
 
Posts: 35
Joined: Wed May 28, 2008 11:08 am

Re: Short password timeout in Comments

Postposted on Wed Apr 09, 2014 3:41 pm

willmore wrote:Oh, drat. I just got logged out and, for the first time, it wasn't when I was idle. I refreshed a page at TR to see new comments tabbed to another TR article, refreshed it and I was logged out! It was a matter of seconds between the two refreshes and I didn't click anything on the pages, I just refreshed the windows.

Have you changed your password recently?
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Grand Admiral Gerbil
Silver subscriber
 
 
Posts: 10023
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Short password timeout in Comments

Postposted on Wed Apr 09, 2014 5:15 pm

Uhh, no? Are you suggesting I do because of the Heartbleed issue or are you just trying to debug this?
willmore
Gerbil
 
Posts: 35
Joined: Wed May 28, 2008 11:08 am

Re: Short password timeout in Comments

Postposted on Wed Apr 09, 2014 5:19 pm

If a user refreshes his password, any other open sessions will automatically expire.

Regarding what you described (hitting an article, then refreshing another tab) - before doing the first action, had you been idle for an hour or so?
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Grand Admiral Gerbil
Silver subscriber
 
 
Posts: 10023
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Short password timeout in Comments

Postposted on Wed Apr 09, 2014 7:50 pm

I had been idle for maybe that long before the first refresh, yes. Cleaning the house for the impending arrival of the inlaws.
willmore
Gerbil
 
Posts: 35
Joined: Wed May 28, 2008 11:08 am

Re: Short password timeout in Comments

Postposted on Wed Apr 09, 2014 7:57 pm

Okay, in that case, what you may have experienced is "normal" in phpBB.

- Your 1-hr session times out. (keep in mind those time out and are re-created automagically if one sets "remember me").
- You come back and refresh a page, then in under one second you tab and refresh another.
- Two session requests trample each other and cancel out for security reasons. Why? Because the session timer's resolution is... one second.

This is a bug/feature in phpBB that I've personally verified in the code. Maybe there's some way around this particular corner case, but I haven't found it. I'm reasonably certain that it behaves this way "by design".

Having said all that, if you do get logged out when opening any single page, then there may be, in fact, a problem.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Grand Admiral Gerbil
Silver subscriber
 
 
Posts: 10023
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Short password timeout in Comments

Postposted on Wed Apr 09, 2014 8:02 pm

That's an interesting scenario. I'm pretty sure I didn't refresh them within one second--I actaully read the first refreshed page. I'll keep an eye out to see if this is a possible scenario.
willmore
Gerbil
 
Posts: 35
Joined: Wed May 28, 2008 11:08 am

Re: Short password timeout in Comments

Postposted on Thu May 01, 2014 10:05 am

Just wanted to come chime in, seems logins are persisting pretty well for me now. It's probably been about a week that I've noticed not having to login all the time.

Good work!
cygnus1
Gerbil
Gold subscriber
 
 
Posts: 65
Joined: Fri Oct 28, 2005 9:49 pm

Re: Short password timeout in Comments

Postposted on Thu May 01, 2014 10:20 am

Cool.

Something else that may play into this and that we control are transparent proxies on the ISPs' part. I say this because recently my own ISP had some random flakiness going for about a week, and I was getting logged out from one day to the other. Lo and behold, ISP problems stop, and the login problems stop too.

If I had to guess, transparent proxies and SSL don't really mix all that well. Or at least the poorly-configured ones.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Grand Admiral Gerbil
Silver subscriber
 
 
Posts: 10023
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Short password timeout in Comments

Postposted on Tue May 13, 2014 2:18 pm

Any chance we could get a summary of what the problem turned out to be? It might come in handy for some other poor individual who finds themself in the same boat.
willmore
Gerbil
 
Posts: 35
Joined: Wed May 28, 2008 11:08 am

Re: Short password timeout in Comments

Postposted on Sun Jun 01, 2014 1:01 pm

There were two distinct and unrelated problems:

1) phpBB has a rather restrictive set of security measures designed to identify someone's session on the forum. Said measures include but are not limited to ensuring that the IP (or part of it) matches. This is almost guaranteed to cause issues in this day and age since a lot of people have laptops and other mobile devices that get their IPs shuffled around a lot. Removing this check helped matters immensely.

2) Our front page discussion pages, as I'm sure you've all noticed, are tied to your main forum account. In those pages, by accident, we were initializing the phpBB user (in other words, checking who's logged in) twice. You'd think that this would pose no problem other than an infinitesimal slowdown, but it so happens that the phpBB user authentication code totally doesn't like this. As in, the second user authentication call in the same page would knock out the first and kick users out of being logged in.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Grand Admiral Gerbil
Silver subscriber
 
 
Posts: 10023
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Short password timeout in Comments

Postposted on Sun Jun 01, 2014 2:02 pm

FYI, I still get logged out frequently, and it used to hold for weeks/months. The office in London is a static IP and my workstation even has a static IP on the internal network - if that one logs me out all the time then the password timeout issue either isn't fixed yet, or that aspect of the problem isn't IP-related.

Not that I'm bothered; I'm sure you guys have more important things to do than arse around with a phpBB witch-hunt, but I just thought I'd mention it.
<insert large, flashing, epileptic-fit-inducing signature (based on the latest internet-meme) here>
Chrispy_
Gerbil Jedi
Gold subscriber
 
 
Posts: 1964
Joined: Fri Apr 09, 2004 3:49 pm

Re: Short password timeout in Comments

Postposted on Sun Jun 01, 2014 7:59 pm

Ok, good to know. We'll try to investigate more at a better time.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Grand Admiral Gerbil
Silver subscriber
 
 
Posts: 10023
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Short password timeout in Comments

Postposted on Thu Jun 12, 2014 10:12 am

morphine, thank you for that summary. That second one looks like a real sneaky problem. Good catch!
willmore
Gerbil
 
Posts: 35
Joined: Wed May 28, 2008 11:08 am

Re: Short password timeout in Comments

Postposted on Fri Jun 13, 2014 8:36 am

Yeah, the really difficult part, that in hindsight took weeks/months, was just being able to reproduce the problem.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Grand Admiral Gerbil
Silver subscriber
 
 
Posts: 10023
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Previous

Return to The Back Porch

Who is online

Users browsing this forum: Google [Bot] and 7 guests