A few weeks ago I stopped being able to log in to my phpBB2 boards from work. Ha. Did they think that would stop me from wasting time?
In all seriousness, my main board is directly related to what I do at work, so there’s no reason for them to have blocked access to the site. And they didn’t, at least not on purpose. What happened was the IP configuration for our proxy load balancers got updated in some fashion. Now I don’t work for the network team so I don’t know exactly what configuration was changed and where. But I can tell you that instead of the last octet of my IP address potentially changing as I move from page to page, now the last two octets are changing. And that’s causing a problem.
If I open includes/sessions.php in my custom version of phpBB2 or a standard version (2.0.23) I find this code:
$ip_check_s = substr($userdata['session_ip'], 0, 6);
$ip_check_u = substr($user_ip, 0, 6);
if ($ip_check_s == $ip_check_u)
Remember that the session IP address is encoded using the encode_ip() function which converts the dotted decimal notation (127.0.0.1) into non-dotted hex data (7F000001) for storage. Normally my IP address would stay the same throughout my session. In some cases the last octet of the IP address might change, so 7F000001 might become 7F000012 instead. Based on the code shown above, that’s considered valid.
At my office, however, the last two octets are changing now. During my session I see my IP address change from xxxx6e15 to xxxx6c16. The last octet changing is not a problem. But the code shown above looks at xxxx6e and compares to xxxx6c and decides that someone might be hijacking my session.
IP-Based Session Checking
The code as shown above is attempting to prevent session hijacking. The assumption was made (and is in fact even mentioned in the comments in the code) that checking the first 3 octets of the IP address for consistency should be enough. Apparently it isn’t, at least not from my office anymore. I have also been given a number of bug reports from folks that say they were never able to proceed beyond page one of their search results. I don’t know if this has an impact on it or not; it could, since the search results are tied to the session ID.
In any case, I have a bit of a quandary. I have a documented case of a company configuration (the very company that I work for) where two of the four IP address octets are changing. And I have comments in the code that suggest that the IP address must be checked to prevent session hijacking.
I have not yet had time to see how (if) phpBB3 handles this. For now I intend to alter the code shown above from a 6 character substring down to a 4 character substring in order to be able to stay logged on from my own office. I hope it will also help folks with the search issue, although I have not seen anyone report one of those for a while.
The security risk? I guess there is some, but it seems to be minimal. Someone inside my company firewall could hijack my session if they knew what they were doing. Someone outside the firewall would have to know my IP address and be able to spoof it; at which point it doesn’t matter if I check 4, 6, or even all 8 characters of the encoded IP address. I am going to make the code change tonight and test when I go into the office tomorrow. If I can stay logged on, I will declare a victory.