Auto-logout

The place for general discussion about the Flying Spaghetti Monster and most things related to Him.

Moderator: All Things Mods

User avatar
ItchyPirate
Fusilli Fuselier
Posts: 145
Joined: Sun Nov 01, 2015 11:38 pm
Location: A strange place

Auto-logout

Postby ItchyPirate » Sat Sep 02, 2017 4:24 pm

The "Forum Issues" section seems to be locked from new topics, so I'm posting this here.

Over the past few weeks, I have noticed that I seem to be getting automatically logged out of the forums within a few minutes (sometimes withing seconds) of logging in. Before this started happening, I seemed to remain logged in for a few hours.

I am not logging out manually,

I do not clear my browser's cookies while browsing the forums. (I do clear them along with the browser cache, but only once a week)

I have tried checking off the "remember me" box, but it seems to extend my session by mere minutes (if I'm lucky).

I often get logged out when I attempt to submit a post, after I've already typed the post. (It seems copy-and-paste is a much better friend than Goggle)

I did not change browsers or browser settings. I am using Qupzilla and, until this issue cropped up, I did not have any issues using Qupzilla with this forum.

My browser is set to remember cookies, and the forum is not blacklisted in my cookie settings.
Captain Itchy Pirate :fsm_yarr:

He who laughs, lasts. :lol:

"You can't argue with all the fools in the world. It is better to let them have their way, then trick them when they're not looking."
--Brom, character in Eragon by Christopher Paolini

User avatar
ChowMein
Brewmeister
Posts: 1947
Joined: Sat Mar 04, 2006 8:38 am
Location: Southern part of the Great White North

Re: Auto-logout

Postby ChowMein » Sat Sep 02, 2017 4:37 pm

The same thing happened to me earliar this year,a half dozen times in under a minute .Each attempt came with a security warning. :facewall:
This continued for a week but all seems well now :confused:

User avatar
Purple Lil
Fusilli Fuselier
Posts: 145
Joined: Sat Jul 08, 2017 2:58 am
Location: Essex, England

Re: Auto-logout

Postby Purple Lil » Sat Sep 02, 2017 5:59 pm

Strange... :confused:

I've had to log back in after several hoirs, but not minutes. At least, not so far.

Did have an internal server error thingy earlier, but seems to be fine now.

User avatar
Roy Hunter
If it's not Scottish, it's crap.
Posts: 15274
Joined: Sun Nov 09, 2008 6:13 pm
Location: It's the place where you are, but that's not important right now.
Contact:

Re: Auto-logout

Postby Roy Hunter » Sat Sep 02, 2017 6:21 pm

Are you sitting comfortably? Then I'll begin...

This forum is over 12 years old. That's about 200 years in internet time. Over that time it has been updated and transferred from format to format, taken apart, had bits taken out, been put back together, had all sorts of interesting things happen to it. However, it's not that dissimilar to what it started off as 12 years ago.

It's also been attacked quite a lot. We have some pretty good security as a result, but even then it's not perfect. The phpBB software it is based on has some fairly good security stuff built in, but if we are still using the basic security credentials that we started with 12 years ago (ie someone who registered 12 years ago can still log in), we are a bit limited in what we can do.

So, in order to reduce the possibility that an 'open' session could be hjacked when you close your browser without logging out (you do all log out before you close your browser, don't you?), phpBB will close the session if it detects a change in IP address. 12 years ago, we tended to have one device (a computer), and our IP addresses seldom changed.

Nowadays, ISPs change our IP addresses all the time (phpBB only uses IPv4 not IPv6). We log in from a phone or iPad as well as our own computer, or we log in at work too. Our session IP changes, or we are logged in from two IP addresses simultaneously, and we get logged out automatically.

So now you know.
"I don't mean to sound bitter, cynical and cruel; but I am, so that's how it comes out." Bill Hicks.
"One should not believe everything one reads on the internet." Abraham Lincoln
"Are you OK?" daftbeaker (<-- very good question, people should ask it more often.)

User avatar
ItchyPirate
Fusilli Fuselier
Posts: 145
Joined: Sun Nov 01, 2015 11:38 pm
Location: A strange place

Re: Auto-logout

Postby ItchyPirate » Sun Sep 03, 2017 2:43 pm

Roy Hunter wrote:So, in order to reduce the possibility that an 'open' session could be hjacked when you close your browser without logging out (you do all log out before you close your browser, don't you?), phpBB will close the session if it detects a change in IP address. 12 years ago, we tended to have one device (a computer), and our IP addresses seldom changed.

Nowadays, ISPs change our IP addresses all the time (phpBB only uses IPv4 not IPv6). We log in from a phone or iPad as well as our own computer, or we log in at work too. Our session IP changes, or we are logged in from two IP addresses simultaneously, and we get logged out automatically.

So now you know.


You're not generically including "me" in "we", are you? 'Cause I don't use iPads (or other similar "dumb devices"), and I refuse to use a "phone" as anything other than a telephone. As for work... I don't slack off :drinking:

Also, it's wrong to assume that all ISPs change IP addresses frequently. Mine gets changed roughly once per month, and it's IPv4 only. I don't "tether" to a mobile connection. Unless there's someone else out there who managed to hijack my account, I should be showing up as coming from one IPv4 address only (yes, I do change my password on occaission, and as a Linux user running ClamAV I'm confident my machine isn't running any malware).

If frequently changing IP addresses were the problem, I'd have to assume that this would have started happening much sooner, i.e. when I registered to this forum (I'm still using the same ISP, same router, same computer, and same OS), and that it would happen no more frequently than once per day (unless your ISP is Tor, it's highly unlikely your IP address would change more frequently than that).

So now you know.
Captain Itchy Pirate :fsm_yarr:

He who laughs, lasts. :lol:

"You can't argue with all the fools in the world. It is better to let them have their way, then trick them when they're not looking."
--Brom, character in Eragon by Christopher Paolini

User avatar
Purple Lil
Fusilli Fuselier
Posts: 145
Joined: Sat Jul 08, 2017 2:58 am
Location: Essex, England

Re: Auto-logout

Postby Purple Lil » Sun Sep 03, 2017 5:01 pm

Roy Hunter wrote:Are you sitting comfortably? Then I'll begin...

This forum is over 12 years old. That's about 200 years in internet time. Over that time it has been updated and transferred from format to format, taken apart, had bits taken out, been put back together, had all sorts of interesting things happen to it. However, it's not that dissimilar to what it started off as 12 years ago.

It's also been attacked quite a lot. We have some pretty good security as a result, but even then it's not perfect. The phpBB software it is based on has some fairly good security stuff built in, but if we are still using the basic security credentials that we started with 12 years ago (ie someone who registered 12 years ago can still log in), we are a bit limited in what we can do.

So, in order to reduce the possibility that an 'open' session could be hjacked when you close your browser without logging out (you do all log out before you close your browser, don't you?), phpBB will close the session if it detects a change in IP address. 12 years ago, we tended to have one device (a computer), and our IP addresses seldom changed.

Nowadays, ISPs change our IP addresses all the time (phpBB only uses IPv4 not IPv6). We log in from a phone or iPad as well as our own computer, or we log in at work too. Our session IP changes, or we are logged in from two IP addresses simultaneously, and we get logged out automatically.

So now you know.


Ah! I have learned a thing!!
:drinking:

User avatar
Roy Hunter
If it's not Scottish, it's crap.
Posts: 15274
Joined: Sun Nov 09, 2008 6:13 pm
Location: It's the place where you are, but that's not important right now.
Contact:

Re: Auto-logout

Postby Roy Hunter » Mon Sep 04, 2017 7:15 am

ItchyPirate wrote:Also, it's wrong to assume that all ISPs change IP addresses frequently. Mine gets changed roughly once per month, and it's IPv4 only. I don't "tether" to a mobile connection. Unless there's someone else out there who managed to hijack my account, I should be showing up as coming from one IPv4 address only (yes, I do change my password on occaission, and as a Linux user running ClamAV I'm confident my machine isn't running any malware).

If frequently changing IP addresses were the problem, I'd have to assume that this would have started happening much sooner, i.e. when I registered to this forum (I'm still using the same ISP, same router, same computer, and same OS), and that it would happen no more frequently than once per day (unless your ISP is Tor, it's highly unlikely your IP address would change more frequently than that).
I can see the records of the IP addresses that the forum software 'sees' you logging in from. You have logged in from quite a few different ones, from the perspective of the forum.

Ultimately we are all logging in from 127.0.0.1, but we go through a whole network of connections from there. What this forum (old and knackered as it is) sees is that the IP address you logged into your session from has changed, so it logs you out.
"I don't mean to sound bitter, cynical and cruel; but I am, so that's how it comes out." Bill Hicks.
"One should not believe everything one reads on the internet." Abraham Lincoln
"Are you OK?" daftbeaker (<-- very good question, people should ask it more often.)

User avatar
ItchyPirate
Fusilli Fuselier
Posts: 145
Joined: Sun Nov 01, 2015 11:38 pm
Location: A strange place

Re: Auto-logout

Postby ItchyPirate » Wed Sep 06, 2017 3:03 pm

Roy Hunter wrote:
ItchyPirate wrote:Also, it's wrong to assume that all ISPs change IP addresses frequently. Mine gets changed roughly once per month, and it's IPv4 only. I don't "tether" to a mobile connection. Unless there's someone else out there who managed to hijack my account, I should be showing up as coming from one IPv4 address only (yes, I do change my password on occaission, and as a Linux user running ClamAV I'm confident my machine isn't running any malware).

If frequently changing IP addresses were the problem, I'd have to assume that this would have started happening much sooner, i.e. when I registered to this forum (I'm still using the same ISP, same router, same computer, and same OS), and that it would happen no more frequently than once per day (unless your ISP is Tor, it's highly unlikely your IP address would change more frequently than that).
I can see the records of the IP addresses that the forum software 'sees' you logging in from. You have logged in from quite a few different ones, from the perspective of the forum.

Ultimately we are all logging in from 127.0.0.1, but we go through a whole network of connections from there. What this forum (old and knackered as it is) sees is that the IP address you logged into your session from has changed, so it logs you out.


If the forum thinks I am changing IP address that frequently, something is broken in the way it is detect IP addresses. It should see the public IP address of my Internet router, and since my computer connects to exactly one router, the forum should see only one IP address. It should not see a different IP address until my ISP decides to change it, which happens once per month -- far from the once per every few seconds that I get logged out.

I once administered a phpBB forum. It started out as a phpBB2 forum and was later upgrade to phpBB3. It was online for at least 10 years before the project it served was discontinued. I never saw an issue like this in either version of phpBB. Something is certainly off.
Captain Itchy Pirate :fsm_yarr:

He who laughs, lasts. :lol:

"You can't argue with all the fools in the world. It is better to let them have their way, then trick them when they're not looking."
--Brom, character in Eragon by Christopher Paolini

User avatar
ItchyPirate
Fusilli Fuselier
Posts: 145
Joined: Sun Nov 01, 2015 11:38 pm
Location: A strange place

Re: Auto-logout

Postby ItchyPirate » Wed Sep 06, 2017 4:02 pm

If one of the admins wants to confirm my IP address for today against the one the forum is seeing, it is:

100.6.8.131

I have checked several times after my last post through my router's web interface, and that is the one it is reporting as my public IP address. It looks like a new one (within the last week), so it should stay the same for awhile.
Captain Itchy Pirate :fsm_yarr:

He who laughs, lasts. :lol:

"You can't argue with all the fools in the world. It is better to let them have their way, then trick them when they're not looking."
--Brom, character in Eragon by Christopher Paolini

User avatar
Roy Hunter
If it's not Scottish, it's crap.
Posts: 15274
Joined: Sun Nov 09, 2008 6:13 pm
Location: It's the place where you are, but that's not important right now.
Contact:

Re: Auto-logout

Postby Roy Hunter » Thu Sep 07, 2017 2:16 am

I just clicked the info button on your post (only available to mods & admins), and that was not a match on any level. Overall, I had three pages of IP addresses you are purported to have posted from. I can't be arsed trawling through them all to see if that one is in there, but it didn't look like it.
"I don't mean to sound bitter, cynical and cruel; but I am, so that's how it comes out." Bill Hicks.
"One should not believe everything one reads on the internet." Abraham Lincoln
"Are you OK?" daftbeaker (<-- very good question, people should ask it more often.)

User avatar
ItchyPirate
Fusilli Fuselier
Posts: 145
Joined: Sun Nov 01, 2015 11:38 pm
Location: A strange place

Re: Auto-logout

Postby ItchyPirate » Thu Sep 07, 2017 7:42 am

Roy Hunter wrote:I just clicked the info button on your post (only available to mods & admins), and that was not a match on any level. Overall, I had three pages of IP addresses you are purported to have posted from. I can't be arsed trawling through them all to see if that one is in there, but it didn't look like it.


If that is the case, there is definitely something wrong with the way the forum is detecting people's IP addresses. I can confirm because I asked DuckDuckGo what my IP address is, and it is the same as the one reported by my router (and thus the one I pasted in my last post). Unfortunately, I can't figure out how to upload a screenshot (clicking the Img button adds the img bbcode, but does not provide a way for me to specify the image), else I would upload the screenshots of both the router reporting the address and DuckDuckGo's confirmation.
Captain Itchy Pirate :fsm_yarr:

He who laughs, lasts. :lol:

"You can't argue with all the fools in the world. It is better to let them have their way, then trick them when they're not looking."
--Brom, character in Eragon by Christopher Paolini

User avatar
Roy Hunter
If it's not Scottish, it's crap.
Posts: 15274
Joined: Sun Nov 09, 2008 6:13 pm
Location: It's the place where you are, but that's not important right now.
Contact:

Re: Auto-logout

Postby Roy Hunter » Fri Sep 08, 2017 3:53 am

DuckDuckGo is reporting your IP address from where you ask it to, also DuckDuckGo is a worldwide concern with servers everywhere, up-to-date software and loads of budget. They use IP addresses to manage the distribution of load across their network, so it's important for them to get it right.

Venganza lives on a little server in a cave in Scandinavia somewhere, hidden behind several layers of 'Go away!' hardware and software, and we have zero budget. We don't care about your IP address, since if you're a bad guy you're probably using a VPN anyway, so it's not going to tell us anything.

However, if we had larger and more up-to-date infrastructure, we could probably establish people's IP addresses more accurately. If you'd like to make a contribution of a few hundred thousand dollars, I'm sure we can deal with the IP address issue for you?
"I don't mean to sound bitter, cynical and cruel; but I am, so that's how it comes out." Bill Hicks.
"One should not believe everything one reads on the internet." Abraham Lincoln
"Are you OK?" daftbeaker (<-- very good question, people should ask it more often.)

User avatar
ItchyPirate
Fusilli Fuselier
Posts: 145
Joined: Sun Nov 01, 2015 11:38 pm
Location: A strange place

Re: Auto-logout

Postby ItchyPirate » Fri Sep 08, 2017 10:39 pm

Or perhaps you can convince whoever runs the server to switch to a cheap VPS (Linode comes to mind)? That's assuming that someone's actually paying for hosting, as opposed to hosting at home or "borrowing" hosting from work. Unfortunately, as a poor college student, I can't even afford my own hosting (even at home - I'd have to pay Verizon extra to "un-filter" the ports incoming connections on all ports and give me a static IP address), so there's no way I could even think to donate thousands of dollars for hosting here.

At any rate, the forum shouldn't detect a different IP address for the same person within seconds when said person is using a single device with a single Internet connection, no matter how frequently the ISP changes the address. If it is, it's not a question of having up-to-date infrastructure; more likely, it's either an OS glitch, an OS glitch, or a forum glitch, or (assuming the infrastructure is to blame, which is unlikely if it hasn't changed) too much complexity in the way things are setup.

Remember: this problem is recent and the first time I saw it in two years. If it worked before, it probably isn't the infrastructure, per se, but more likely to be a software or OS update somewhere that happened around the time the problem started occuring. Upgrading the infrastructure then using the same version of the same software won't fix a software glitch.
Captain Itchy Pirate :fsm_yarr:

He who laughs, lasts. :lol:

"You can't argue with all the fools in the world. It is better to let them have their way, then trick them when they're not looking."
--Brom, character in Eragon by Christopher Paolini


Return to “All Things FSM”

Who is online

Users browsing this forum: No registered users and 6 guests