phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

IP address checking / prevention of session forgery


 
Search this topic... | Search General Support... | Search Box
Register or Login to Post    Index » General Support  Previous TopicPrint TopicNext Topic
Author Message
SunHunter
Board Member



Joined: 11 Dec 2019

Posts: 5



PostPosted: Wed Dec 11, 2019 3:09 pm 
Post subject: IP address checking / prevention of session forgery

Hi, I run a reasonably busy phpBB2 forum (pretty much locked in until I rewrite all the custom code to work with phpBB3 - which might not be ever due to the number of customisations). Anyway, first post here, so hi to everyone. The reason for posting and perhaps other people have had the same issue is that the 'remember me' (auto-login) does not seem to work for users with certain ISPs who change their IP address in-between pageloads resulting in loss of session state, mainly due to these lines in includes/sessions.php:

Code:

function session_pagestart($user_ip, $thispage_id)
{
<SNIP>
// Do not check IP assuming equivalence, if IPv4 we'll check only first 24
// bits ... I've been told (by vHiker) this should alleviate problems with
// load balanced et al proxies while retaining some reliance on IP security.
         
$ip_check_s = substr($userdata['session_ip'], 0, 6);
$ip_check_u = substr($user_ip, 0, 6);

if ($ip_check_s == $ip_check_u)
{
<SNIP>
IP address matches, so continue ...



Obviously one can reduce checking by comparing just the first two octets of the IP address but this won't work if the complete IP address is different which is happening more and more often for some reason.

If the IP address check is eliminated entirely it exposes the board to the possibility that somebody could forge a session by creating their own cookie with a known session ID and then use this to log onto the board, so I'm just wondering if anybody had implemented an alternate solution to this problem? (other people must be having it unless they're not worried about session forgery). Another option might be to use known IP address history for a given user (maybe look at last x sessions instead of just the last one) or browser sniffing to check they're using the same software as last time. I just wondered if there was a mod for this somewhere or some other solution that I've not thought of? TIA.

Jon
Back to top
Vendethiel
Board Member



Joined: 26 Oct 2014

Posts: 168



PostPosted: Mon Dec 16, 2019 11:33 am 
Post subject: Re: IP address checking / prevention of session forgery

Hey! Welcome.

Quote:
Obviously one can reduce checking by comparing just the first two octets of the IP address but this won't work if the complete IP address is different which is happening more and more often for some reason.
Probably mobile phones switching networks?

These checks should probably be removed. On 2 of the premods I work(ed) on, I removed phpBB's session id system and just used php's.

_________________
Developer on EzArena, the ADR premod.
Developer on Icy Phoenix, the phpBB hybrid cms.
Developer on IntegraMOD, the full-featured premod.
Help me archive premods on github! (fixed for recent PHPs).
Back to top
SunHunter
Board Member



Joined: 11 Dec 2019

Posts: 5



PostPosted: Mon Dec 16, 2019 11:48 am 
Post subject: Re: IP address checking / prevention of session forgery

Thanks, I think you are right about switching mobile networks (most of the time, problems seem to be from cell phones). I just wondered if it would compromise security too much by switching off IP address checking, but I guess it's just a necessary compromise to keep the board usable.
Back to top
SunHunter
Board Member



Joined: 11 Dec 2019

Posts: 5



PostPosted: Fri Dec 20, 2019 11:41 am 
Post subject: Re: IP address checking / prevention of session forgery

Not sure whether to start a new topic or not, but kind of related to the above. I've turned off IP address checking in session_pagestart but noticed in session_begin that an IP address check is performed when creating a new session (& new session ID is generated if previous session is not found for session ID *and* IP address). Is it safe to remove the check against the user IP address without breaking anything? (not sure, but I think new session IDs could affect/break auto-login but don't want to introduce other issues by removing this check)

Code:

function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_autologin = 0, $admin = 0)
{
<SNIP>
        //
   // Create or update the session
   //
   $sql = "UPDATE " . SESSIONS_TABLE . "
      SET session_user_id = $user_id, session_start = $current_time, session_time = $current_time, session_page = $page_id, session_logged_in = $login, session_admin = $admin
      WHERE session_id = '" . $session_id . "'
         AND session_ip = '$user_ip'";

   if ( !$db->sql_query($sql) || !$db->sql_affectedrows() )
   {
        $session_id = md5(dss_rand());

        // [New session ID now created (won't match existing)....]

        $sql = "INSERT INTO " . SESSIONS_TABLE . "
         (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in, session_admin)
         VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login, $admin)";
      if ( !$db->sql_query($sql) )
      {
         message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
      }
   }
Back to top
Vendethiel
Board Member



Joined: 26 Oct 2014

Posts: 168



PostPosted: Fri Dec 20, 2019 1:16 pm 
Post subject: Re: IP address checking / prevention of session forgery

Honestly, removing phpbb2's sessions mechanism in general is a step forward. The only thing that might break are online counters etc.
_________________
Developer on EzArena, the ADR premod.
Developer on Icy Phoenix, the phpBB hybrid cms.
Developer on IntegraMOD, the full-featured premod.
Help me archive premods on github! (fixed for recent PHPs).
Back to top
SunHunter
Board Member



Joined: 11 Dec 2019

Posts: 5



PostPosted: Fri Dec 20, 2019 1:22 pm 
Post subject: Re: IP address checking / prevention of session forgery

Vendethiel wrote:
Honestly, removing phpbb2's sessions mechanism in general is a step forward. The only thing that might break are online counters etc.

Thanks, I think I might end up doing this if this hack doesn't work. Did you use a mod to replace phpBB's session mechanism, or did you just write your own (& was it a lot of work)?

(I was planning to upgrade to phpBB3 at some point but it's such a mammoth job as I've modified phpBB2 too much and there's no easy way to upgrade without rewriting all the custom code.)
Back to top
Vendethiel
Board Member



Joined: 26 Oct 2014

Posts: 168



PostPosted: Sat Dec 21, 2019 9:32 pm 
Post subject: Re: IP address checking / prevention of session forgery

Quote:
Did you use a mod to replace phpBB's session mechanism, or did you just write your own (& was it a lot of work)?
I'm just using PHP's session mechanism nowadays. N othing in the DB.
_________________
Developer on EzArena, the ADR premod.
Developer on Icy Phoenix, the phpBB hybrid cms.
Developer on IntegraMOD, the full-featured premod.
Help me archive premods on github! (fixed for recent PHPs).
Back to top
SunHunter
Board Member



Joined: 11 Dec 2019

Posts: 5



PostPosted: Mon Dec 23, 2019 9:55 am 
Post subject: Re: IP address checking / prevention of session forgery

Thanks, I'm still getting random logouts on my board for users with 'remember me' checked. I may have to do what you have suggested and remove pbpBB session handling as can't seem to find the issue that's causing this (seems to be some kind of cookie issue but unable to determine exactly).
Back to top
lumpy burgertushie
Board Member



Joined: 19 Nov 2008

Posts: 240


flag
PostPosted: Sun Dec 29, 2019 7:06 am 
Post subject: Re: IP address checking / prevention of session forgery

don't know the answer to the question but checking how phpbb3 does it might help you figure it out.
I have not heard of this problem with changing IPs with phpbb3


robert
Back to top
Display posts from previous:   
Register or Login to Post    Index » General Support  Previous TopicPrint TopicNext Topic
Page 1 of 1 All times are GMT
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0258 seconds using 15 queries. (SQL 0.0022 Parse 0.0008 Other 0.0228)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo