| Author |
Message |
PHrEEkie
Subject Matter Expert
Joined: Feb 23, 2004
Posts: 358
|
 Posted:
Fri Oct 29, 2010 5:03 am |
|
First off, how are you Gaylen? Long time my good friend...
Secondly.. too.. many.. forums... 
Onto the issue... I decided to put up an old gaming site after many years of being offline. I had an original dist for RN2.30.00, so I installed it locally and started building the site. I built out the Forums, created groups, posted a few startup threads, all went well. I then uploaded the site to my server. All was still well. I added a new test user to test the forum permissions/groups, and wham! invalid_session... 
To cut to the chase, my original login didn't ever see that, nor did it when I logged out of the second and back in with the first. This wasn't a cookie issue that I could see... I had a net friend make an account the old fashioned way and, invalid_session for them.
I noticed that when my original login is online, as soon as I click Forums, I start getting a sid= appended to anything I hover over. Logging out and back in with the test user, I get no sid appends at all. I found in modules/Forums/includes/sessions.php where the function append_sid is. That code returns false for all the elseif branches checking for admin urls etc, and falls through to:
Code: if ($userdata['user_level'] > 1) {
if ( !empty($SID) && !preg_match('/sid=/i', $url) && isset($_COOKIE)) // montego - added isset() check to try and keep SE Bots from crawling the sid
{
$url .= ( ( strpos($url, '?') != false ) ? $amp : '?' ) . $SID;
}
}
|
Here is why the first user was getting a sid appended, as he is set as a moderator and therefore user_level 2. All new and/or regular users are user_level 1, so they do not pass the test that allows them to get the sid appended; their URLs remain unaltered.
My cheap and dirty fix was, of course, change > 1 to > 0, and of course, now my second user, as well as my web friend, can do anything on the boards without the session error. However, looking through my other websites from over the years, the > 1 is in all of them, so I'm lost...
I have been out of coding for a long time, and of course out of phpBB code itself, so I cannot be sure of where to find the actual fix instead of a cheap hack.
Question 1 - Have I introduced a security concern? Any concern?
Question 2 - Why do users > 1 get a sid appended, but not normal users (including Anonymous)?
Question 3 - Is there somewhere else in the code as a whole where the cookie is analyzed and the request allowed to process through without the sid appended? In other words, should every user see an appended sid, or just certain ones? Guess the question is, do I actually have a cookie issue?
domain: my-site.com (yes, the site has a dash in the domain)
cookie domain: mysite
cookie name: phpbbmysite
path: /
I have run versions of nuke at this domain since the early port days and never experienced any issues, and always used those cookie settings. No idea whether it's cookie or code, but something is weird. For the record, my browser is IE8 and my net friend was using latest FF, and I did try every cookie setting humanly possible. We've cleared temp files, caches, history, everything I would advise someone to do if I ran across this post.
Thanks, and how nice all this is still here... as it should be. 
- Keith |
| |
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Sat Oct 30, 2010 10:34 am |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Sun Oct 31, 2010 11:13 am |
|
Keith :shocked: ! How wonderful to hear from you!
It's a cookie/browser issue. As Montego suggested, get v2.4.01  . If you still have the problem then post back. I'd also recommend using the default values that come with the installation.
To keep from going   , shoot me an email if you get time and let me know what you've been up to!
Best Regards,
Gaylen |
| |
|
|
|
|
PHrEEkie
|
| Posted:
Wed Nov 03, 2010 5:11 am |
|
Hi again folks -
Just back from 2 days of RN2.40.01 hell... 
And by that, I mean I built a new local Apache server with everything top-of-the-line. By doing that, I got to hand edit around 380 odd POSIX ereg's into functioning PCRE Regex's due to installing PHP 5.3.0. That was really not fun... hehe but it's done. Better yet, it's working. Frankly, to say I'm blown away would be minimizing my surprise when the site came up. Fantastic work people!
Haven't had time to post or email anything... with 2 kids and an entire RN dist to modify REGEX's for, obviously I have just been swamped.. just wanted to drop back in and say thanks for the recommendation/advice, and we'll see how it works asap (the invalid session issue). I only have the virgin site loaded atm, haven't ported over any settings from the other site. Will do that after some sleep. Prolly catch y'all on the 2.40 forums...
Peace,
- Keith |
| |
|
|
|
|
Raven
|
| Posted:
Wed Nov 03, 2010 2:43 pm |
|
PHrEEkie,
Before you start hacking away would/could you zip up your modified RN2.40.01 virgin install with your PHP 5.3.0 changes and send me a PM with the d/l link? Pretty Please? |
| |
|
|
|
|
PHrEEkie
|
| Posted:
Wed Nov 03, 2010 3:20 pm |
|
Will do Gaylen... I'm keeping a separate folder with all the virgin files with changes. Currently trying to deal with all the magic quotes issues, that's the only errors I'm getting right now. Oh, and the dbMysql.class.php file in INSTALLATION/classes has a function called Destroy. It throws a reference error, but doesn't prevent the script from running/completing.
I did the install EXACTLY as anyone who downloaded it would do, and it all went perfectly. The only snag was for some reason I had no includes/addons folder. When the script went to look for any files in there, it hung up and timed out. No errors were displayed and I had to put in script break points to figure out where it was hanging up. Easily fixed the issue and the site popped right up.
My production server is PHP 5.2.8 and my dev server is 5.3.3. I ran regex test scripts on both sides as I went through the files. Each and every ereg was first tested for what it was trying to capture, than the PCRE equivalent was built and also tested. I feel very confident that the migration was as clean as possible without disturbing any surrounding code. We'll see how well I fare with the magic quotes issues...
- Keith |
| |
|
|
|
|
Raven
|
| Posted:
Wed Nov 03, 2010 3:52 pm |
|
|
|
|
|
montego
|
| Posted:
Sat Nov 06, 2010 3:44 pm |
|
BTW, could have sworn I saw somewhere that Palbin was already working on all the PCRE changes if not done... |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
