On Sat, Sep 25, 2021 at 10:52 PM Bryan Petty <
br...@ibaku.net> wrote:
> This is part of the effort to fix the issues many users have been
> having with sessions on the forums. I can't confirm if this upgrade
> actually fixes it, but I can say that my own login appears to work
> fine after the upgrade (it has worked on the current server most of
> the time too though). Time will tell if this resolves the issue.
Alright folks, I think I've actually *really* fixed the login session issues.
My biggest hint was that when this happened, URLs generated on the
board would result in completely different `sid=` values, meaning
every request was creating a new session ID. I could see this
happening in these situations for weeks now, and knew it was part of
the problem. I just thought some phpBB code was triggering new
sessions somehow (and phpBB does do this in certain situations
normally). phpBB makes use of native PHP session IDs for these, and
ties form submissions on the site to those session IDs to prevent CSRF
attacks. Since session IDs change with every request, the site
considers all form submissions as potential attacks, and blocks them.
This is why you see "form is invalid" errors.
I finally took the time to re-evaluate the PHP session store
configuration on the server today though, and discovered it's been
trying to save PHP sessions on disk, in a path it doesn't have write
access to. I've reconfigured this to use the more performant in-memory
cache already running on the server, and I can verify that session IDs
are no longer changing per request on the site. To be honest, I didn't
suspect this would be part of the problem since it appeared to work
fine for many people for a long time, and even occasionally worked
fine for people that had seen the issue (after trying again later).
Anyway, you should no longer be seeing login/session problems now.
--
Regards,
Bryan Petty