Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Session fingerprinting erroneously failing the check #2051

Open
JstnKlbt opened this issue Jan 7, 2024 · 7 comments
Open

[Bug] Session fingerprinting erroneously failing the check #2051

JstnKlbt opened this issue Jan 7, 2024 · 7 comments
Assignees
@BelleNottelling
Labels
bug Something isn't working

Comments

@JstnKlbt
Copy link

JstnKlbt commented Jan 7, 2024
edited

Describe the bug

I log in to the admin area, change a setting and then I get the error message "Authentication failed (206)" - then I log in again, apply the setting and less than 30 seconds later I have to log in again.

How to reproduce

  1. Login to Admin area
  2. System
  3. Settings
  4. Email
  5. Edit the template

Expected behavior

Attitude transfer

Screenshots

https://ibb.co/9GB06tk

FOSSBilling version

FOSSBilling 0.6.8
@JstnKlbt JstnKlbt added the bug Something isn't working label Jan 7, 2024
@JstnKlbt JstnKlbt changed the title [Bug] Constant new registration [Bug] Authentication failed (206) Jan 7, 2024
@BelleNottelling
Copy link
Member

Hello,

It would be helpful to have more information such as your browser, if you're using any extensions that may modify your user agent or client info, if your IP address is frequently changing, ect.

Additionally have you tried to see if the same behavior happens on a different browser / connection?
What about a private window?

@JstnKlbt
Copy link
Author

JstnKlbt commented Jan 8, 2024

Hello,

It would be helpful to have more information such as your browser, if you're using any extensions that may modify your user agent or client info, if your IP address is frequently changing, ect.

Additionally have you tried to see if the same behavior happens on a different browser / connection? What about a private window?

Hello,

I use Firefox with the following extensions Shoop, BetterTTV and uBlock.
I've already tried it with Edge and Chrome, but always the same thing.
I don't change my IP address and I don't work with a VPN.

@BelleNottelling
Copy link
Member

Okay, so it's very unlikely to be a problem with your browser and is most likely being caused by a security system in FOSSBilling.

The new 0.6.9 release has some improvements that can help us troubleshoot this, can you please update to that, reproduce the issue, and then check /data/php_error.log to see if there's anything similar to this message:

Session ID someSessionID has potentially been hijacked as it failed the fingerprint check. The session has automatically been destroyed.

If it does, then you can edit your config.php file and change 'perform_session_fingerprinting' => true, to 'perform_session_fingerprinting' => false, as a workaround.

@JstnKlbt
Copy link
Author

JstnKlbt commented Jan 9, 2024

I had to update the version manually, it currently works after I deactivated the fingerprint setting.
There is currently no php_error.log.

@getpinga
Copy link

I also ran into the same issue, but when testing FOSSBilling on Caddy server. All works without changes on Nginx.

I made it work by changing 'CSRFPrevention' to false in the config.php - but have no idea what is wrong with Caddy.

@BelleNottelling
Copy link
Member

it currently works after I deactivated the fingerprint setting.

Okay, thank you.
Feel free to leave it like that for the moment, I'll work to add implement a method for us to properly gather more info on what's causing the fingerprint to fail and I'll give you instructions at that point, but the existing method of session fingerprinting isn't super advanced nor robust so having it disabled isn't a significant reduction in security.

I also ran into the same issue, but when testing FOSSBilling on Caddy server. All works without changes on Nginx.

I made it work by changing 'CSRFPrevention' to false in the config.php - but have no idea what is wrong with Caddy.

The "Authentication failed (206)" error is fairly generic. In the case of this bug report they were seeing it because their session failed the fingerprint check, causing it to be destroyed under the assumption of a session hijacking.

If disabling the CSRF prevention option fixed it for you, then that's another issue, but I can't think of any way Caddy would cause these issues as it's just an additional token that's added to API requests.

@BelleNottelling BelleNottelling mentioned this issue Jan 22, 2024
Merged
@BelleNottelling BelleNottelling self-assigned this Jan 22, 2024
@BelleNottelling BelleNottelling changed the title [Bug] Authentication failed (206) [Bug] Session fingerprinting erroneously failing the check Jan 22, 2024
@BelleNottelling
Copy link
Member

Hi @JstnKlbt,

The newly released 0.6.10 release has added debugging for this issue which can be enabled via the config file like so:
Then it'll print info to the error log when a fingerprint is rejected which will help us identify where the issue is occurring.
Keep in mind, session fingerprinting must be enabled once again before this is functionality is going to happen.

    'security' => [
        'mode' => 'strict',
        'force_https' => true,
        'session_lifespan' => 7200,
        'perform_session_fingerprinting' => true,
-       'debug_fingerprint' => false,
+       'debug_fingerprint' => true,
    ],

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BelleNottelling BelleNottelling

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@BelleNottelling @getpinga @JstnKlbt