How to eliminate session checks

10.2. How to eliminate session checks

"Okay, fine but what can we do about it now?!" I hear you say. Well, you can remove or reduce validation as noted above (being aware of what you are doing), you could add the Mod noted above (you'll find it presently in another Invalid session topic ... no doubt it will be moved to one of the Mod forums in time) or finally you could remove the piece of code (from all affected pages) that looks like or similar to this:

// session id check
if ($sid == " || $sid != $userdata['session_id'])
   message_die(GENERAL_ERROR, 'Invalid_session');

This removes the added security of validation so if you do this we aren't interested in any security related problems that may arise. I highly recommend that you do not remove the added security from the admin control panel. Let's clarify a little the modifications that are needed:

You can either edit line 294 in the includes/session.php:

$ip_check_s = substr($userdata['session_ip'], 0, 6);
$ip_check_u = substr($user_ip, 0, 6);

and change the 6 to a 4, or, as a last resort (not endorsed by the phpBB staff and quite unsafe for the above reasons), you can delete all occurences of the code

// session id check
if ($sid == " || $sid != $userdata['session_id'])
message_die(GENERAL_ERROR, 'Invalid_session');

in all files. There are 9 occurences in 6 files:

modules/Forums/posting.php on line 188

But most of the time, just changing the cookie, as described in Section 3.9.15, will solve the "invalid session" problem.

Help us make a better PHP-Nuke HOWTO!

Want to contribute to this HOWTO? Have a suggestion or a solution to a problem that was not treated here? Post your comments on my PHP-Nuke Forum!

Chris Karakas, Maintainer PHP-Nuke HOWTO


Site Info v2.2.2

Last SeenLast Seen
Server TrafficServer Traffic
  • Total: 373,309,509
  • Today: 35,313
Server InfoServer Info
  • Dec 14, 2018
  • 11:31 am CET