AOL 9.x users can’t post on 3.0.4

[stormbringergrey]

I’ve disabled the GD option for CAPTCHA so AOL users can register but now I’m finding they can’t post. They can login but any attempt to create a new topic or reply to an existing topic returns them to the login screen. I wanted to blame this on novice users with really bad taste in browsers, however, I downloaded the AOL client software with a borrowed account and I’m finding I have the same issue. Thinking the problem might be unique to my installation of phpBB I tried logging into Area51 with the AOL browser to make this post and experienced the same problem here. Anyone else had this problem and know of a fix?

Having had two issues with AOL I got a little concerned about support for other browsers. So far the latest Windows versions of IE, Safari, and Chrome work, AOL does not, I haven’t tried Opera, FireFox or anything on a Mac yet.

[bolverk]

In your ACP -> General -> Server Configuration -> Security settings, what is the value of the following field?

Session IP validation:
Determines how much of the users IP is used to validate a session; All compares the complete address, A.B.C the first x.x.x, A.B the first x.x, None disables checking. On IPv6 addresses A.B.C compares the first 4 blocks and A.B the first 3 blocks.

[stormbringergrey]

It is set to A.B.C. which was the default. I don't have the AOL client here at home but I can experiment once I'm back in the office tomorrow. I'm curious, do you know what the security exposure is by changing this value?

Just for the record, here are some other security settings which might be relavent, all are set to defaults:

Allow Persistent Logins: Yes
Persistent Login exp. length: 0 days
Session IP Validation: A.B.C.
Validate Browser: Yes
Validate X_Forwarded_For header: No
Validate Referer: Host only
Check IP against DNS Blackhole list: No
Check e-mail domain for valid MX record: Yes

[bolverk]

Aol users come in on various proxies which means that during any given session the IP address can change from page to page. Reducing the check to A.B is the first thing I would try to see if they can maintain their sessions. I've run like that for years (before the ACP setting it was a code hack) just for dial-up proxy users and not had any session hijacking issues.

[stormbringergrey]

Thanks, that was it

Just for the record, to be AOL* compatible the following settings must be changed to the “boxed” version of phpBB 3.0.X:

1. General > Visual Confirmation Settings > GD CAPTCHA = No
2. General > Security Settings > Session IP Validation = A.B

*10.1 million subscribers as of Nov. 2007 http://en.wikipedia.org/wiki/AOL

[bolverk]

Thought so. Glad it's working now. When I lived in the sticks years ago AOL dialup was my only option, so glad those days are over. Main site is back up. Not sure what they'll do with support topics here as this was a *temporary forum*