• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 2.0 Random Users Logged in for Visitors

#1
I've gotten a few reports from people going to register that when the visit the domain it shows the forum listing and it is "logged in" as a random user. But whenever they click on a forum, link, or anything it gives them a security error and redirects to the login page (guests have no access to view forum in my permissions). I was able to duplicate it a couple of times with incongnito browsers and using different devices, randomly, when going to the root domain it will load as a logged in user. Luckily clicking on anything clears the random user and goes to the login screen.

This does pose a 'security risk' and has made a few of my members nervous about someone else accessing their account. I have reassured them that it was only a bug on the first load, possibly a cache issue but that the visiting guest will not be able to view their conversations, profile, or use their account, it's only the first main page snapshot.
 
#2
This is really something strange i heared from you.

Imstead of bug it might be something, which may be related to your installation only.

I too run it on live forum, but no such scarry report yet i got.

Still i will check for it on my forum


xF2 is also running same version i never see myself login as chris d or brogan etc ;)
 
#4
not sure on heavy caching. I have not made any changes in the admin side with regards to cache. Should I try to clear it? I see a lot in there, which ones? could it be a server side issue?

It's not all the time, but I've had a couple reports, was able to duplicate, and just saw it myself on my own phone when I pulled up the website it showed I was logged in as a random user, I clicked their profile and it gave me the security error and redirected to login. That's what reminded me to make this post.

Thanks for the fast replies BTW
 

Jake B.

Well-known member
#5
not sure on heavy caching. I have not made any changes in the admin side with regards to cache. Should I try to clear it? I see a lot in there, which ones? could it be a server side issue?
If it is setup it'd probably be a server configuration.

Any add-ons?
 
#6
Pm me your forum url.

Its really interesting to see such things happening.

Sorry if you get frustrated by my comments, i am not a coder but interested to learn more thing.
 

Chris D

XenForo developer
Staff member
#7
I've gotten a few reports from people going to register that when the visit the domain it shows the forum listing and it is "logged in" as a random user. But whenever they click on a forum, link, or anything it gives them a security error and redirects to the login page (guests have no access to view forum in my permissions). I was able to duplicate it a couple of times with incongnito browsers and using different devices, randomly, when going to the root domain it will load as a logged in user. Luckily clicking on anything clears the random user and goes to the login screen.

This does pose a 'security risk' and has made a few of my members nervous about someone else accessing their account. I have reassured them that it was only a bug on the first load, possibly a cache issue but that the visiting guest will not be able to view their conversations, profile, or use their account, it's only the first main page snapshot.
I just saw the same thing on your site.

This will indeed be related to some sort of caching mechanism on the server - it won't be directly related to XF. We've seen things like "Varnish" cause this in the past though it could be similar systems.
 

Chris D

XenForo developer
Staff member
#9
It's just one example of a caching mechanism that can cause such things:
https://varnish-cache.org/

I'm also seeing references in the responses coming back from the server related to Litespeed Cache.

To be honest, it could be any one of many different tools so in the first instance you'd be better off speaking with your host to see if they have anything which is caching and returning page output.
 

Tracy Perry

Well-known member
#11
This will help other users, who use c panel hosting, they will follow same step to resolve.
Odds are his is not specific to cPanel itself, but using the optional HTTP server provided by LiteSpeed (a paid solution) that can also be interfaced with cPanel. Most hosting providers don't use LiteSpeed due to the cost of it. Mainly that is done by your higher end (better quality) shared hosting providers.