Member gets logged into other accounts?

Ludachris

Ludachris

Well-known member
Here's a weird one. I just had a moderator on one of my forums email me saying they couldn't login to the forum, and it started happening yesterday. He was getting one of those Security error occurred messages that you get when you leave a page open and need to refresh to continue. But he says he refreshed. When he tried to log in it just refreshed the page and he still wasn't logged in. But then, when he went to another page in the forum, it displayed as if he was logged in, with his avatar up top, etc. Then something strange happened - as he navigated around a few pages, his logged in avatar changed and it appeared as if he was logged in as another user. It changed to different users a few times as he clicked around to different pages. He sent me screenshots showing the different users he was showing as being logged in as.

WTF? How would that even be possible?
 
This is usually an issue with a misconfigured upstream cache (Varnish, Litespeed, nginx, etc.) caching authenticated pages.
 
Jeremy P said:
This is usually an issue with a misconfigured upstream cache (Varnish, Litespeed, nginx, etc.) caching authenticated pages.
Click to expand...
Not Libmemcached, correct?

I just got another complaint about the error. Nothing has changed recently though. I'm running Standard caching in Cloudflare.
 
I found a problem from the file checker:
src/XF/BbCode/Renderer/EditorHtml.php

Looks like I didn't patch that installation and it came back to bite me. Should I have anything to worry about after running the upgrade?
 
That file has no bearing on the issue.

As Jeremy said, it's most likely a server side caching issue.
 
I just purged the Cloudflare cache and am checking with the host to see if we have server side cache set up for this site. I don't remember setting it up.

And now the issues are happening to me too when I browse the site. The same exact issues.
 
Here's the strange part - the issue with the wrong user being displayed only happens when viewing the forum index page. Any other page of the forum displays the correct user. The homepage displays as if I'm not logged in. Here's what I have in the settings:

1682114952554.webp

Again, this just started happening yesterday. It was working fine before that, with no changes to the website made. I'm still waiting to hear back from the host about caching. But the other XF forums on the server are not having this issue.
 
I had this issue one time many years ago. I think I was using Engintron and NGINX at the time. I'm not sure if you are using it or not, but maybe the link will be helpful in troubleshooting.

github.com

problem with xenforo sessions · Issue #12 · engintron/engintron

running latest WHM / Apache + memcached on a different host. installed engintron, everything rockets along, then users logged into my xenforo forum started showing up under other logged-in users' s...
github.com github.com

I don't have that problem anymore as I don't use Engintron NGINX anymore and my memory is not very good on how I ended up resolving the issue at the time. 🤔

Hope that helps. :-)
 
RaptureForums said:
I had this issue one time many years ago. I think I was using Engintron and NGINX at the time. I'm not sure if you are using it or not, but maybe the link will be helpful in troubleshooting.

github.com

problem with xenforo sessions · Issue #12 · engintron/engintron

running latest WHM / Apache + memcached on a different host. installed engintron, everything rockets along, then users logged into my xenforo forum started showing up under other logged-in users' s...
github.com github.com

I don't have that problem anymore as I don't use Engintron NGINX anymore and my memory is not very good on how I ended up resolving the issue at the time. 🤔

Hope that helps. :)
Click to expand...
Yeah, we're not using Engintron or NGINX. Just Apache. The host doesn't see any server side cache systems like Varnish or Litespeed running. And I don't remember setting anything up for that site - I have it set up the same way I have my other forums on the server. Cloudflare is running but that's really it. I disabled the caching in the config file, but that didn't seem to do anything. Would I have to restart the server for it to take effect?
 
Do I need to add a rule to Cloudflare caching or something? I don't have any rules set for any other XF forum sites in Cloudflare.
 
If you inspect the page response headers in the browser developer tools it will typically have a header with details on if there was a cache hit.
 
It's easy enough to tell if the page is being cached by Cloudflare at the network edge by looking at the HTTP response headers. Normally that would look like: cf-cache-status: HIT
 
digitalpoint said:
It's easy enough to tell if the page is being cached by Cloudflare at the network edge by looking at the HTTP response headers. Normally that would look like: cf-cache-status: HIT
Click to expand...
I don't see anything like that in the Network tab in the browser dev tools. Where should I be looking for it?

1682357894943.webp
 
That page request isn't being served from Cloudflare cache in that case. Make sure you are testing it with the actual request where you see the wrong user logged in (if the page request isn't showing the underlying issue, then it's not that useful). Might need to test it with Incongnito or something.

If the HTTP response headers show cf-cache-status: DYNAMIC and that same request shows the wrong user logged in, it's not a Cloudflare cache issue, so at least you can work from there.
 
digitalpoint said:
That page request isn't being served from Cloudflare cache in that case. Make sure you are testing it with the actual request where you see the wrong user logged in (if the page request isn't showing the underlying issue, then it's not that useful). Might need to test it with Incongnito or something.

If the HTTP response headers show cf-cache-status: DYNAMIC and that same request shows the wrong user logged in, it's not a Cloudflare cache issue, so at least you can work from there.
Click to expand...
That is the page where the wrong user is logged in. So it sounds like I can rule out Cloudflare.

Could this have anything to do with CNAME records/DNS? I have a bunch of CNAME records for ezoic, as I was working to get the site setup with them, though I never actually completed the ezoic setup and am not using their service. Wondering if that could cause this.
 
No idea what Ezoic is, but I can't imagine anything that would somehow serve the wrong content based on DNS records. DNS either works or it doesn't... it doesn't cause a page to be fetched from the past or from a different user.

The next thing I would check is make a request to the page showing the wrong user with a cache breaking URL and see if that affects it. For example, if this was the problematic URL: https://example.com/forums/ make a request for https://example.com/forums/?cb=123 that makes the URL unique, but shouldn't affect the actual content. That will also give you the ability to see if the request made it to your web server (if you have access to your web server logs). If you search the web logs for "cb=123", you know the request did in fact make it to your web server, so you can rule out some other front-end proxy that your web hosting company might have in place. At that point, if the request made it to your web server and that request is still serving up something wrong, you are going to need to go digging through your web server config and/or XenForo itself (maybe an addon or something doing it).
 
You must log in or register to reply here.

Similar threads

Zeyroxxx
  • Locked
Not a bug When user login , its login to other accounts and doing some strange ****
Replies
1
Views
263
Chris D
Chris D
Hooligan
  • Question Question
Users logged in to other accounts
Replies
9
Views
1K
Paul B
P
Ellie
  • Question Question
Integrating into other products
Replies
4
Views
833
Ellie
Ellie
Back
Top Bottom