- Affected version
- 2.3.7
When a user’s session ID is associated with an IP address marked as Discouraged in the XenForo admin panel, API requests to http://127.0.0.1/forum/api/auth/from-session experience significant delays, regardless of the request originating from a non-discouraged IP (127.0.0.1). This throttling behavior is unexpected and disruptive.
Session and authentication API endpoints should respond immediately, independent of the discouraged status of the user’s associated IP.
We use a frontend wrapper website that relies on Xenforo for auth and session functionality. This issue caused a production outage, with php-fpm processes hanging while waiting for XenForo API responses after a common IP subnet was Discouraged. The throttling logic should not apply to local API requests.
Steps to reproduce:
Result: You will be waiting a loooong time
Expected result: Returns an error quickly
(Edited for clarity)
Session and authentication API endpoints should respond immediately, independent of the discouraged status of the user’s associated IP.
We use a frontend wrapper website that relies on Xenforo for auth and session functionality. This issue caused a production outage, with php-fpm processes hanging while waiting for XenForo API responses after a common IP subnet was Discouraged. The throttling logic should not apply to local API requests.
Steps to reproduce:
- Generate an admin API key to use for testing
- Visit the forum from a Discouraged IP address and allow the browser to pick up an xf_session cookie. Extract the session ID using the browser's dev console.
- Use this session ID to make a request to the Xenforo API from a non-discouraged IP address. Something like this should work:
Code:
curl -X POST "http://localhost/forum/api/auth/from-session" \
-H "XF-Api-Key: Your-API-Key-Here" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "session_id=Session-ID-From-Browser-Cookie"Result: You will be waiting a loooong time
Expected result: Returns an error quickly
(Edited for clarity)
Last edited: