Not a bug "The active user has changed" message when navigating to forums via email notification links


New member
Affected version
I frequent a forum ( that is Xenforo. The site works great for the most part, but recently has started giving me the message "The active user has changed. Reload the page for the latest version." This message only appears when I click a link to a thread/topic from the forum email notifications. My mail client is gmail, but it also happens if I forward a notification to my work Outlook desktop client and click a link there. Reloading the page with the browser's Refresh doesn't help, I stay signed out and continue to see the message. If instead of refresh, I click the permalink on any of the posts in the thread, the page refreshes and I am now signed in and the message goes away. This tells me that I do have an authentication cookie in my browser cache, but it is somehow not being recognized when navigating from an email. I do not know what version of xenforo forums, as there isn't any information displayed on that site to indicate it (anyone know if there is a link that a forum member can use to find out the xenforo version?). I've tried signing out, then fully clearing all cookies and browser cache, then signing in fresh again, then clicking the link in the email and still get that active user has changed message.

Happens in multiple different browsers, on iOS or even on Windows 10 and Windows 11 with Edge or Chrome latest versions. I was wondering if there was a configuration or php.ini cookie related setting that I could tell the forum administrator to try to help fix it.
That site seems to have configured their installation to set Strict same-site cookies, which will mean your cookies aren't visible to the server for cross-site requests like this. Making a new request from the site (ie. navigation to a page) will allow the server to see the cookies, while reloads are still considered cross-site requests. Our session keep-alive behavior sends a same-site request in the background which detects this situation and displays this message.

They can set their cookie same-site configuration to Lax (or remove it entirely to use the browser default, generally Lax, which is the stock XF behavior) to mitigate this.
Last edited:
Top Bottom