XF 1.5 Users showing and logged in as wrong account

itismejoey

Member
Hi there,

After recently moving Xenforo from a development server to the production server and releasing, we found that a bug which didn't appear during tesitng: Users are sometimes given someone elses session. We've checked xf_session cookies and they match to the database and the user has full control over that account, even though they never logged in. This presents a huge security risk for us. The forums are behind CloudFlare and have had the IP PHP edit in config.php added:
PHP:
 if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) { $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP']; }
We're in desperate need of some help with this as we've tried clearing the xf_sessions table multiple times, forcing 2FA and installed CloudFlare Detect: https://xenforo.com/community/resources/solidmean-cloudflare-detect.1595/

Any help is appreciated.

Thanks!
 

Mike

XenForo developer
Staff member
This isn't something we've ever seen with CloudFlare. If XF is getting the correct user IP, it should generally be difficult as well because we tie sessions to IPs.

The main other cause would likely have to be some sort of caching outside of XF. If there's some sort of cache on your web server (for example, a FastCGI cache), that could be causing the problem. Otherwise, if you have any add-ons, particularly ones that do integrations with other systems and handle logging people in, they could be involved.
 
Top