Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
ONSUSPECT - what am I misunderstanding/getting wrong here?
73 views
Skip to first unread message
Paul Herring
Dec 11, 2023, 8:06:49 AM12/11/23
to Fat-Free Framework
Occasionally, and it is very occasionally, ONSUSPECT in \DB\SQL\Session() fires, and I cannot determine why.
Typically, it's a search-engine bot triggering it, and I can't reproduce it myself - at least not whatever the search engines are doing.
My code:
if (!isset($_SESSION)) {
$session = new \DB\SQL\Session(
$f3->get('DB'),
'sessions',
false /* DB should be created using the update scripts, so no TRUE here */,
function ($session) {
$f3 = \Base::instance();
$old_ip = $session->ip();
$old_agent = $session->agent();
$current_ip = strval($f3->get('IP') ?? '');
$current_agent = strval($f3->get('AGENT') ?? '');
if (($old_ip != $current_ip) || ($old_agent != $current_agent)) {
debuglog("ONSUSPECT: user changed from [$old_ip] $old_agent");
debuglog("ONSUSPECT: to [$current_ip] $current_agent");
} else {
debuglog("ONSUSPECT: called, but no observed difference: $current_ip $current_agent");
}
return true;
},
'CSRF'
);
} else {
// Only expecting this bit if the database has been updated in sanityCheck(),
// which is needed before we attempt to store the session there.
//
// php7.2 generates a 'Cannot change session name when session is active' error otherwise
}
The (lightly anonymised) debug coming out of that:
Sun, 10 Dec 2023 13:37:48 +0000 [66.249.70.69] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.69 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Mobile Safari/537.36 (compatible; Google-InspectionTool/1.0)
Sun, 10 Dec 2023 13:37:48 +0000 [66.249.70.70] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.70 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36 (compatible; Google-InspectionTool/1.0)
Sun, 10 Dec 2023 13:37:48 +0000 [66.249.70.70] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.70 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36 (compatible; Google-InspectionTool/1.0)
Sun, 10 Dec 2023 13:37:48 +0000 [66.249.70.68] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.68 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36 (compatible; Google-InspectionTool/1.0)
Sun, 10 Dec 2023 13:37:48 +0000 [66.249.70.70] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.70 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36 (compatible; Google-InspectionTool/1.0)
Sun, 10 Dec 2023 13:37:48 +0000 [66.249.70.70] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.70 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36 (compatible; Google-InspectionTool/1.0)
Sun, 10 Dec 2023 13:37:48 +0000 [66.249.70.68] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.68 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36 (compatible; Google-InspectionTool/1.0)
Mon, 11 Dec 2023 00:49:10 +0000 [66.249.70.68] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.68 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.62 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mon, 11 Dec 2023 01:34:09 +0000 [66.249.70.70] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.70 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.62 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mon, 11 Dec 2023 02:58:17 +0000 [66.249.70.69] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.69 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.62 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mon, 11 Dec 2023 04:13:38 +0000 [66.249.70.69] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.69 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.62 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mon, 11 Dec 2023 07:09:11 +0000 [66.249.70.70] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.70 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.62 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mon, 11 Dec 2023 12:23:45 +0000 [66.249.70.69] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.69 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.62 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mon, 11 Dec 2023 01:34:09 +0000 [66.249.70.70] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.70 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.62 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mon, 11 Dec 2023 02:58:17 +0000 [66.249.70.69] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.69 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.62 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mon, 11 Dec 2023 04:13:38 +0000 [66.249.70.69] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.69 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.62 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mon, 11 Dec 2023 07:09:11 +0000 [66.249.70.70] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.70 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.62 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mon, 11 Dec 2023 12:23:45 +0000 [66.249.70.69] www/example.com/www/index.php::PJH\{closure}(82): ONSUSPECT: called, but no observed difference: 66.249.70.69 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.62 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Looking at the source (presuming it's https://github.com/f3-factory/fatfree-core/blob/774692ce7698904d3cb35bbd4f79376bb17eeddc/db/sql/session.php#L69), and trying to debug print ip and agent from /that/ returns null, even on valid sessions that don't invoke ONSUSPECT, so I'm not sure what I should be looking at to try and diagnose what's going on here.
Anyone got any pointers, please?
--
PJH
v.
Dec 11, 2023, 5:14:35 PM12/11/23
to Fat-Free Framework
I had the same thing, it seems to be a search engine thing, but I also had something similar when pressing and holding a link on an ipad. This should show a preview of the linked page in a popup, but with f3 it generates an error caused by the onsuspect function.
I tried to figure it out but ended up overriding the onsuspect method for sites where seo is important.
Christophe Rolland
Dec 11, 2023, 6:11:51 PM12/11/23
to v. via Fat-Free Framework
Hello everyone,
I'm following up on the topic because I had previously asked about a somewhat random 'On SUSPECT' detection issue. This occurs when I run a Lighthouse analysis in Chrome's development tool. The loading and analysis go smoothly, but when I return to regular browsing, I get redirected to a 403 error. If I refresh the page, it works again... Strange. Even stranger, I experienced this on an older generation of iPhone, but I wondered if it might be related to how the phone handles the network (perhaps a bit whimsically 😅). From an SEO perspective, I've never observed any issues during crawling. However, I ensure that my sessions and cache go through Redis. Perhaps, to some extent, this influences the Framework's behavior...
--
-- You've received this message because you are subscribed to the Google Groups group. To post to this group, send an email to f3-fra...@googlegroups.com. To unsubscribe from this group, send an email to f3-framework...@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/f3-framework?hl=en
---
You received this message because you are subscribed to the Google Groups "Fat-Free Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to f3-framework...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/f3-framework/a28fd7ab-20db-4df4-88b8-fd08a1c7fcafn%40googlegroups.com.
ved
Dec 11, 2023, 6:50:52 PM12/11/23
to Fat-Free Framework
Hey,
These are all user-agent (or ip) changes for sure.
Lighthouse will almost certainly load the page fresh and generate a new session with the simulated UA, then when it finishes you're back at your original UA, causing the issue until you also refresh the page/session.
The same or similar issue is most likely what's happening to the original poster, but with bots/crawlers.
I also override the onsuspect handler to remove those checks most of the times due to issues like these, especially during development.
Cheers
v.
Dec 12, 2023, 3:04:57 AM12/12/23
to Fat-Free Framework
This is typical lighthouse behaviour. I actually posted this exact same question a while ago I think
Paul Herring
Dec 12, 2023, 9:58:45 AM12/12/23
to ved via Fat-Free Framework
On Mon, Dec 11, 2023 at 11:50 PM ved via Fat-Free Framework <f3-fra...@googlegroups.com> wrote:
These are all user-agent (or ip) changes for sure.
[...]
The same or similar issue is most likely what's happening to the original poster, but with bots/crawlers.
ved
Dec 12, 2023, 11:31:04 AM12/12/23
to Fat-Free Framework
Hi,
Unless I'm looking at the wrong things (likely, hence my question) they appear to be unchanged.
Possibly.
You should confirm with your webserver logs just to be certain that the ip and UA aren't getting changed between requests.
This is very common with crawlers and bots which are usually distributed systems.
Cheers
Reply all
Reply to author
Forward
0 new messages