10.2. How to eliminate session checks

"Okay, fine but what can we do about it now?!" I hear you say. Well, you can remove or reduce validation as noted above (being aware of what you are doing), you could add the Mod noted above (you'll find it presently in another Invalid session topic ... no doubt it will be moved to one of the Mod forums in time) or finally you could remove the piece of code (from all affected pages) that looks like or similar to this:

// session id check
if ($sid == " || $sid != $userdata['session_id'])
{
   message_die(GENERAL_ERROR, 'Invalid_session');
}

This removes the added security of validation so if you do this we aren't interested in any security related problems that may arise. I highly recommend that you do not remove the added security from the admin control panel. Let's clarify a little the modifications that are needed:

You can either edit line 294 in the includes/session.php:

$ip_check_s = substr($userdata['session_ip'], 0, 6);
$ip_check_u = substr($user_ip, 0, 6);

and change the 6 to a 4, or, as a last resort (not endorsed by the phpBB staff and quite unsafe for the above reasons), you can delete all occurences of the code

// session id check
if ($sid == " || $sid != $userdata['session_id'])
{
message_die(GENERAL_ERROR, 'Invalid_session');
}

in all files. There are 9 occurences in 6 files:

includes/usercp_email.php
includes/usercp_sendpasswd.php
modules/Forums/groupcp.php
modules/Forums/login.php
modules/Forums/modcp.php
modules/Forums/posting.php on line 188

But most of the time, just changing the cookie, as described in Section 3.9.15, will solve the "invalid session" problem.