Random logouts - resolved!

[JQW]

I've had a report from one user about getting randomly logged out of the site every 5 minutes or so.

Further investigation reveals them to be using AOL as their ISP. AOL use a bunch of proxy servers with varying IP addresses. This plays havoc with verifying user accounts based on IP address, but in the past AOL seem to have kept the first three numbers of the IP address constant. However today I've noticed that AOL have started to vary the IP addresses somewhat more, breaking our security checking completely, forcing users to re-authenticate.

I've disabled all IP address checking for now, as this is the only way to get AOL users working again. Users of other ISPs who have also had random logouts should also have the problem resolved.

[Diamond Dog]

This is what is known as an alias amnesty.

[JQW]

It's nothing to do with aliases. The board software by default checks to make sure a logged in user is posting from roughly the same IP address as the one they initially logged in from, and will log the user out automatically if they address no longer matches. It does this to prevent spam networks from sharing the same login credentials.

The change I've made just disables this check. It makes us an easier target for spam networks, but as we're not getting touched by them at the moment it shouldn't be a problem. There's several other anti-spam tricks in place at the moment, with at least one more very clever one coming soon.

[jude]

How is the new software coping with spammers Paul? I'm a mod on another phpbb board and we get stuffed by spammers. If this is doing well i might advise the board admin to upgrade.

[JQW]

How is the new software coping with spammers Paul? I'm a mod on another phpbb board and we get stuffed by spammers. If this is doing well i might advise the board admin to upgrade.

The main advantage so far is that the new CAPTCHA hasn't been cracked. The one integrated with phpBB2 was cracked, and most spammers used this crack to get through. I had to install a MOD to block spam in the end, and even then we got up to a dozen fake users registering per day. Luckily this mod also blocked new users from posting links, so hardly any spammer managed to post.

Another feature coming in 3.0 RC6 (or 3.0.0, whichever appears first) is that each form will contain a hidden field containing a randomly generated key. Submitting the form will send that key back to the server, and the post will only be valid if the keys match. This is to stop bots and other automated systems sending down fake posts without visiting the board first. I've no idea how this key system will work in practice, as it may cause serious problems to some of our users. Also added as the same time as the key are options to set the minimum amount of time between viewing a post screen and submitting the post - again this may too cause us some problems. I'm expecting this new release to appear at any time.