Session hijacking: what’s (probably) going on

Over the last couple of months I’ve had a number of clients come to me because of mysterious things happening on their forums. Going to a forum they find that they are logged in as someone else and can see things they definitely should not see, such as private messages and forums they don’t have privileges to see. I’ve spent a lot of time trying to figure this out talking to client’s web host support teams and scouting for a solution.

The good news is that this is not due to some deficiencies in phpBB. The bad news is that this is due to the way your web host has configured their servers and it’s affecting phpBB.

phpBB is the #1 forum solution, with something like 70% of the market. But as a percentage of popular software installed on websites, phpBB is tiny, on about 1% of websites. What’s the 800 pound gorilla? It’s WordPress, which runs 27% of websites. So web hosts will meticulously tune their servers to optimize for WordPress, giving short shrift to much of the rest of the open source software out there. Most web hosts now say they are optimized for WordPress and market WordPress-specific hosting. phpBB is being left behind along with lots of other software. Because phpBB gets most of its content from a database to be presented on the fly, more than most open source solutions it is not amenable to static content.

The problem is most acute if you have Bluehost shared hosting. The underlying issue is some software called Varnish, more specifically Varnish HTTP Cache. Varnish helps dynamically driven sites perform more efficiently by caching content in your server’s virtual memory. Web hosts can make more money if they can get more utilization off one one web server. Varnish is one way they keep costs down as it allows them to stuff more websites on one machine.

Varnish is kind of pointless with phpBB since phpBB already has its own cache, which you can find in your forum’s cache folder. Essentially phpBB programs, templates, stylesheets and SQL calls are all compiled into .php programs in the cache folder so they can be executed more quickly. So it’s duplicitous but more importantly interferes with phpBB’s default behavior. So if you have the issue, contact your web host to find if they are using Varnish and if so have them turn it off. As for Bluehost, as of this writing they will tell you they can’t turn it off. You have shared hosting so one size fits all. They will however be happy to move you to their cloud product. Varnish is not installed there, so you won’t be affected. However you may have to pay a higher hosting fee.

It’s unclear if Varnish is the sole cause. Other potential problems may be due to Content Delivery Networks (CDNs). This is most typically CloudFlare, since it is bundled free by most web hosts. CDNs attempt to move content closer to the user by having it fetched from server farms geographically close to the site viewer, thus speeding up page load time. This is usually fine with phpBB since CDNs generally only store static files like images. So a CDN shouldn’t cause issues like this, but if you have a CDN you might want to disable it to see if the problem goes away. Note: the one time you do need to do something with your CDN is when you add a style or significantly change the look of your site. Then it’s a good idea to tell the CDN to delete all its cached content. Otherwise, the experience by end users might be mixed or odd.

I also suspect that ModSecurity may be causing issues like this, but I don’t have enough proof yet. If it is enabled, disabling ModSecurity may make your problem go away. As I blogged recently, disabling ModSecurity in general tends to solve a lot of weird phpBB issues, while it may introduce others by potentially making it easier for your site to propagate malware and viruses.

Leave a Reply

Your email address will not be published. Required fields are marked *