Multiple user login notification spam

Support area for phpBB's mChat extension
Bgagger
Donor
Posts: 37
Joined: 28 Nov 2018, 15:57

Re: Multiple user login notification spam

#11

Post by Bgagger » 06 Apr 2019, 19:48

I think we have finally nailed down the culprit!
We recently switched the site to use https protocol, but some sub domains still support http access as well.
Users who had not updated their old bookmarks have been confirmed to be the same users causing multiple login notices.
So it's not a problem with mchat, it's a session problem caused by visitors accessing from different protocols.

terry2
Posts: 174
Joined: 22 Oct 2016, 18:22
Location: My castle

Re: Multiple user login notification spam

#12

Post by terry2 » 06 Apr 2019, 23:02

Pop this in your htaccess in root they will be forced to use https or shall i say there use http but will be redirected to https problem solved.

Code: Select all

#force https
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301]

User avatar
kasimi
mChat developer
Posts: 907
Joined: 06 Oct 2016, 09:56
Location: Germany
Contact:

Re: Multiple user login notification spam

#13

Post by kasimi » 13 Apr 2019, 20:24

Glad you found the cause. Did you find a solution? Keep in mind that you see two login notifications only if phpBB actually starts two sessions for the user, so make sure you redirect correctly and at the earliest stage. terry's rewrite rule is one solution.

Bgagger
Donor
Posts: 37
Joined: 28 Nov 2018, 15:57

Re: Multiple user login notification spam

#14

Post by Bgagger » 14 Apr 2019, 12:23

The reason why http access to the sub domain is still allowed is that our certificates have to be manually set up and updated, and in kind of a roundabout way (long story). So at least for an initial period, we decided to keep http access to the forum open specifically. In case the worst happens, update routines go awry and the site effectively goes down. That way members can still access the forum, regardless what happens.

This is a temporary solution though as either reliable routines get worked out, or another https solution is implemented.

Post Reply

Who is online

Users browsing this forum: Google [Bot], Yandex [Bot] and 1 guest