Since I created that topic, I figured I should reply.
Most of the phpBB security settings were developed 20 years ago, in a time when access to a phpBB board was via desktop/laptop PCs with internet provided by a telephone or cable TV company. IP addresses, user agents, and the like did not change often, and proxy services like CloudFlare didn't exist. The settings were well-thought-out for the internet as it existed in 2005.
Fast-forward to the present, when most access is via mobile phones which receive IP addresses (and sometime even user agents) via repeater software/hardware on cellphone towers. The IP address can change every couple minutes in most areas, and can change on every page access in large urban areas. The possibility of the IP addresses being in the same /24 block is zero. In fact, it's becoming unlikely they will be in the same /16 block, and in large urban areas, it's possible they won't even be in the same /8 block.
In addition, most all external services used by phpBB for security have moved to APIs that require registration to obtain a (usually-free) API key. The 2005-era access methods used by phpBB are disappearing; it's gone with Spamhaus, RIPE, and LACNIC, will be gone at the end of this year with ARIN, and is severely rate-limited with Spamcop and the other internet registries. (And to those who think using ipinfo.io will solve the IP lookup issue, don't be surprised when you get throttled...ipinfo.io also requires usage of its API to remove access limitations.)
That means many of the security settings which were great when phpBB 3.0 was released are, well, not-so-great today. I strongly suggest to people that they disable the settings I mention in the topic you referenced, including the "session IP validation" and "validate referer" settings. Not only will this eliminate the "I keep getting logged out" and "registration/posting takes forever" issues, phpBB will run faster because it's no longer wasting time on every page load to check obsolete settings.
