XF 2.0 [Serious issue]Auto logout from forum

[Codeless]

Hello

when i signin forum but while i browsing threads and other parts of forum everything fine when i click on Forum (Home ) its says i am not logged in forum
but then i click on signin its says i am already logged in forum

also i am getting some error message we ran into problem and accidently i logged out and i see i am logged in as normal users account (Random) today some of my forum members send me screen print when they refresh forum they was using my account

there is no chance that i am being hacked or something else but i am unable to figure out this issue

this very dangerous when normal users can access admin account i dont have anything in error log

 

[Paul B]

Sounds like a reverse proxy or caching issue of some sort.

Are you using Varnish, Cloudflare, and/or have caching configured in the config file?

 

[Codeless]

no config is default i am not using cloudflare but i install Engintron for cpanel few days ago problem start today

 

[Paul B]

That would be it then judging by the description of it.

Engintron for cPanel/WHM is the easiest way to integrate Nginx on your cPanel/WHM server. Engintron will improve the performance & web serving capacity of your server, while reducing CPU/RAM load at the same time. It does that by installing & configuring the popular Nginx webserver to act as a reverse caching proxy for static files (like CSS, JS, images etc.) with an additional micro-cache layer to significantly improve performance of dynamic content generated by CMSs like WordPress, Joomla or Drupal as well as forum software like vBulletin, phpBB, SMF or e-commerce solutions like Magento, OpenCart, PrestaShop and others.

It may need configuring correctly, or disabling.

Your sysadmin or host may be able to help.

 

[Codeless]

i also found

[17-Jan-2018 18:32:22 UTC] PHP Fatal error:  Class 'Zend_Registry' not found in /home/dslr/public_html/library/XenForo/Application.php on line 12

 

[Codeless]

i configured it very well issue came today

# /**
#  * @version    1.8.7
#  * @package    Engintron for cPanel/WHM
#  * @author     Fotis Evangelou
#  * @url        https://engintron.com
#  * @copyright  Copyright (c) 2010 - 2017 Nuevvo Webware P.C. All rights reserved.
#  * @license    GNU/GPL license: https://www.gnu.org/copyleft/gpl.html
#  */

server {

    listen 80 default_server;
    #listen [::]:80 ipv6only=on;

    server_name localhost;

    # deny all; # DO NOT REMOVE OR CHANGE THIS LINE - Used when Engintron is disabled to block Nginx from becoming an open proxy

    # Initialize important variables
    set $CACHE_BYPASS_FOR_DYNAMIC 0;
    set $CACHE_BYPASS_FOR_STATIC 0;
    set $PROXY_DOMAIN_OR_IP $host;
    set $PROXY_TO_PORT 8080;
    set $SITE_URI "$host$request_uri";

    # Generic query string to request a page bypassing Nginx's caching entirely for both dynamic & static content
    if ($query_string ~* "nocache") {
        set $CACHE_BYPASS_FOR_DYNAMIC 1;
        set $CACHE_BYPASS_FOR_STATIC 1;
    }

    # Proxy requests to "localhost"
    if ($host ~* "localhost") {
        set $PROXY_DOMAIN_OR_IP "127.0.0.1";
    }

    # Proxy cPanel specific subdomains
    if ($host ~* "^webmail\.") {
        set $PROXY_DOMAIN_OR_IP "127.0.0.1";
        set $PROXY_TO_PORT 2095;
    }
    if ($host ~* "^cpanel\.") {
        set $PROXY_DOMAIN_OR_IP "127.0.0.1";
        set $PROXY_TO_PORT 2082;
    }
    if ($host ~* "^whm\.") {
        set $PROXY_DOMAIN_OR_IP "127.0.0.1";
        set $PROXY_TO_PORT 2086;
    }
    if ($host ~* "^webdisk\.") {
        set $PROXY_DOMAIN_OR_IP "127.0.0.1";
        set $PROXY_TO_PORT 2077;
    }
    if ($host ~* "^(cpcalendars|cpcontacts)\.") {
        set $PROXY_DOMAIN_OR_IP "127.0.0.1";
        set $PROXY_TO_PORT 2079;
    }

    # Set custom rules like domain/IP exclusions or redirects here
    include custom_rules;

    location / {
        try_files $uri $uri/ @backend;
    }

    location @backend {
        include proxy_params_common;
        # === MICRO CACHING ===
        # Comment the following line to disable 1 second micro-caching for dynamic HTML content
        include proxy_params_dynamic;
    }

    # Enable browser cache for static content files (TTL is 1 hour)
    location ~* \.(?:json|xml|rss|atom)$ {
        include proxy_params_common;
        include proxy_params_static;
        expires 1h;
    }

    # Enable browser cache for CSS / JS (TTL is 30 days)
    location ~* \.(?:css|js)$ {
        include proxy_params_common;
        include proxy_params_static;
        expires 30d;
    }

    # Enable browser cache for images (TTL is 60 days)
    location ~* \.(?:ico|jpg|jpeg|gif|png|webp)$ {
        include proxy_params_common;
        include proxy_params_static;
        expires 60d;
    }

    # Enable browser cache for archives, documents & media files (TTL is 60 days)
    location ~* \.(?:3gp|7z|avi|bmp|bz2|csv|divx|doc|docx|eot|exe|flac|flv|gz|less|mid|midi|mka|mkv|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogm|ogv|opus|pdf|ppt|pptx|rar|rtf|swf|tar|tbz|tgz|tiff|txz|wav|webm|wma|wmv|xls|xlsx|xz|zip)$ {
        set $CACHE_BYPASS_FOR_STATIC 1;
        include proxy_params_common;
        include proxy_params_static;
        expires 60d;
    }

    # Enable browser cache for fonts & fix @font-face cross-domain restriction (TTL is 60 days)
    location ~* \.(eot|ttf|otf|woff|woff2|svg|svgz)$ {
        include proxy_params_common;
        include proxy_params_static;
        expires 60d;
        add_header Access-Control-Allow-Origin *;
    }

    # Prevent logging of favicon and robot request errors
    location = /favicon.ico {
        include proxy_params_common;
        include proxy_params_static;
        expires 60d;
        log_not_found off;
    }

    location = /robots.txt  {
        include proxy_params_common;
        include proxy_params_static;
        expires 1d;
        log_not_found off;
    }

    location = /nginx_status {
        stub_status;
        access_log off;
        log_not_found off;
        # Uncomment the following 2 lines to make the Nginx status page private.
        # If you do this and you have Munin installed, graphs for Nginx will stop working.
        #allow 127.0.0.1;
        #deny all;
    }

    location = /whm-server-status {
        proxy_pass http://127.0.0.1:8080;
        # Comment the following 2 lines to make the Apache status page public
        allow 127.0.0.1;
        deny all;
    }

    # Deny access to files like .htaccess or .htpasswd
    location ~ /\.ht {
        deny all;
    }

}

 

[Jake B.]

Try disabling include proxy_params_dynamic; the description above it mentions caching dynamic HTML which seems like it'd cause what you're mentioning

 

[Bryan]

Try

set $CACHE_BYPASS_FOR_DYNAMIC 1;

This disables the micro cache which is known to interfere with cookies and headers.

 

[Codeless]

i just removed Engintron i will use cloudflare

 

[Nirjonadda]

Engintron for cpanel

Disable micro-caching for dynamic content. Comment out line 70 in default.conf via Engintron's WHM app.

if ($SITE_URI ~* "mysite.com|mysite.com/index.php?login/|mysite.com/login|/register|/logout|/admin.php") {
set $CACHE_BYPASS_FOR_DYNAMIC 1; # Disables micro-caching
#set $CACHE_BYPASS_FOR_STATIC 1; # Disables static file caching

 

[thumped]

if you don't want to disable engintron and you want your config changes to survive an engintron upgrade, click on Edit your custom_rules for Nginx and add this to the bottom of the file

if ($http_cookie ~* "(xf_[a-zA-Z0-9_]+)") {
    set $CACHE_BYPASS_FOR_DYNAMIC 1;
    set $EXPIRES_FOR_DYNAMIC 0;
}

if you've changed your default cookie prefix then you'll need to change xf_ to whatever it is now.

 

[Nirjonadda]

if you don't want to disable engintron and you want your config changes to survive an engintron upgrade, click on Edit your custom_rules for Nginx and add this to the bottom of the file

if ($http_cookie ~* "(xf_[a-zA-Z0-9_]+)") {
    set $CACHE_BYPASS_FOR_DYNAMIC 1;
    set $EXPIRES_FOR_DYNAMIC 0;
}

if you've changed your default cookie prefix then you'll need to change xf_ to whatever it is now.

@thumped Using this rules then no need Disable micro-caching in Edit your custom_rules for Nginx?

 

[thumped]

@thumped Using this rules then no need Disable micro-caching in Edit your custom_rules for Nginx?

Yes, as far as i know it disables micro caching for xf cookies and xf cookies only.

 

[Nirjonadda]

Yes, as far as i know it disables micro caching for xf cookies and xf cookies only.

If using both, your code and disables micro caching then does happen any issue?

 

[thumped]

The point is that if you use that bit of code to disable microcaching of xenforo cookies only then you don't need to disable microcaching everywhere to address a xenforo-specific issue.

It fixed the issue for me anyway.

 

[congdongxaydung.vn]

I have a same problem, please tell me how to fix it? Thanks.

 

[Codeless]

i enabled some apache mode_cache or something similar. after problem i deleted it

 

[TPerry]

I have a same problem, please tell me how to fix it? Thanks.

Are you running under the same environment?
If so, the instructions above should work. If you are using something else (Plesk, etc) then you need to provide a little more details other than "help me fix this".

 

[atulgrover]

I have a same problem, please tell me how to fix it? Thanks.

 

[ShayanMemon]

same problem but nobody can fix this issue e