Occasional 403 or 404 on F3 routes

[atkinsj]

No description provided.

[exodus4d]

I never came up with this problem, but i have a suggestion:
First I would like to know since when this happened?- I pushed a framework upgrade of "Fat-Free-Framework" (v.3.5.0 -> v3.5.1) to develop branch yesterday. So this upgrade could cause the problem. I had to do this upgrade because some bugs were fixed, I contributed to (bcosca/fatfree#908)

My Assumption

Your IP has changed. I never had this this problem because of my static IP address.

The "Problem" in detail

In v3.5.1 DB-Session handling was improved/fixed sql\session.php L69 following.... A default onsuspect(); callback handler was added to the Session read(); function which should help to protect against CSRF attacks. As you can see, the new default handler checks for IP or User-Agent changes and invalidates the current Session as "suspect" with a HTTP 403.
This problem was also discussed in here: bcosca/fatfree#762

The Solution

Ill hand over my own onsuspect() callback handler to the DB\SQL\SESSION(); constructor controller.php#L118.
Official doku: http://fatfreeframework.com/session#onsuspect .
So this is not really a bug, rather a security "feature" which is probably a bit to "strict". ;)

[exodus4d]

• IP changes are no longer validated as "suspect session".

  • If this becomes a security problem in future, We should revert this! I don´t know if this is a problem with the IGB or desktop browser.

  • I don´t know why they added this validation, it doesn't make sense to me. - Particularly in a Single-Page-App like Pathfinder.

    "[...] IPs can change at any time - the idea behind HTTP is that each request is independent. [...]"
    "[...] you shouldn't track IP changes for 'security' - the only exception is if you can deal with geoIP features, and want to disable/annoy users of various anonymisation services. [...]"
    http://stackoverflow.com/a/7550915/4329969

• In order to obtain some data about IP-changed-sessions, these changes are logged in log/session_suspect.log
• User-Agent changes are still handled as "suspect" and trigger a 403, clear_session and remove session_cookie

[exodus4d]

Off topic:

@atkinsj I have some personal questions about your experience with CloudFare. I have no background knowledge of CDN providers.

• What is the primary reason you use it for?
• What is your experience? - Would you recommend it?
• Can you provide any stats/info or a comparison running Pathfinder with/without a CDN?

I´m currently setting up a new public testing environment (dev.pathfinder-w.space), running the latest develop commit. Maybe it is worth to give it a try on this domain? I´m on a DigitalOcean‎ VPS 2GB RAM, 2 CORS