itismejoey
Member
Hi there,
After recently moving Xenforo from a development server to the production server and releasing, we found that a bug which didn't appear during tesitng: Users are sometimes given someone elses session. We've checked xf_session cookies and they match to the database and the user has full control over that account, even though they never logged in. This presents a huge security risk for us. The forums are behind CloudFlare and have had the IP PHP edit in config.php added:
We're in desperate need of some help with this as we've tried clearing the xf_sessions table multiple times, forcing 2FA and installed CloudFlare Detect: https://xenforo.com/community/resources/solidmean-cloudflare-detect.1595/
Any help is appreciated.
Thanks!
After recently moving Xenforo from a development server to the production server and releasing, we found that a bug which didn't appear during tesitng: Users are sometimes given someone elses session. We've checked xf_session cookies and they match to the database and the user has full control over that account, even though they never logged in. This presents a huge security risk for us. The forums are behind CloudFlare and have had the IP PHP edit in config.php added:
PHP:
if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) { $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP']; }We're in desperate need of some help with this as we've tried clearing the xf_sessions table multiple times, forcing 2FA and installed CloudFlare Detect: https://xenforo.com/community/resources/solidmean-cloudflare-detect.1595/
Any help is appreciated.
Thanks!
