New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Session fingerprinting erroneously failing the check #2051
Comments
Hello, It would be helpful to have more information such as your browser, if you're using any extensions that may modify your user agent or client info, if your IP address is frequently changing, ect. Additionally have you tried to see if the same behavior happens on a different browser / connection? |
Hello, I use Firefox with the following extensions Shoop, BetterTTV and uBlock. |
Okay, so it's very unlikely to be a problem with your browser and is most likely being caused by a security system in FOSSBilling. The new 0.6.9 release has some improvements that can help us troubleshoot this, can you please update to that, reproduce the issue, and then check
If it does, then you can edit your |
I had to update the version manually, it currently works after I deactivated the fingerprint setting. |
I also ran into the same issue, but when testing FOSSBilling on Caddy server. All works without changes on Nginx. I made it work by changing 'CSRFPrevention' to false in the config.php - but have no idea what is wrong with Caddy. |
Okay, thank you.
The "Authentication failed (206)" error is fairly generic. In the case of this bug report they were seeing it because their session failed the fingerprint check, causing it to be destroyed under the assumption of a session hijacking. If disabling the CSRF prevention option fixed it for you, then that's another issue, but I can't think of any way Caddy would cause these issues as it's just an additional token that's added to API requests. |
Hi @JstnKlbt, The newly released 0.6.10 release has added debugging for this issue which can be enabled via the config file like so: 'security' => [
'mode' => 'strict',
'force_https' => true,
'session_lifespan' => 7200,
'perform_session_fingerprinting' => true,
- 'debug_fingerprint' => false,
+ 'debug_fingerprint' => true,
], |
Describe the bug
I log in to the admin area, change a setting and then I get the error message "Authentication failed (206)" - then I log in again, apply the setting and less than 30 seconds later I have to log in again.
How to reproduce
Expected behavior
Attitude transfer
Screenshots
https://ibb.co/9GB06tk
FOSSBilling version
FOSSBilling 0.6.8
The text was updated successfully, but these errors were encountered: