Crossed Logins - users suddenly logged in under another username

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
tbird65
Registered User
Posts: 4
Joined: Tue Mar 20, 2018 2:18 pm

Crossed Logins - users suddenly logged in under another username

Post by tbird65 » Tue Mar 20, 2018 2:33 pm

Greetings-

Our phpBB3 forums: https://www.vintagethunderbirdclub.net/phpBB3/index.php are hosted on OLM.net

Per the ACP:
Database server: MySQL(i) 5.6.39
PHP version: 5.6.32
Board version: 3.2.2

I'm getting miscellaneous reports that user A will login and suddenly notice that they are logged in a user B. Once this happens, they can navigate as user B, make posts, send PMs, etc. I'm not sure if the impacted users are doing a fresh login or if they are returning to a saved login.

I tried changing the cookie name and then purging the cache and all logins, but I'm still getting these reports.

Note that I had 1-2 reports of this going back several versions (seemed to impact only one user), but had not heard of it happening again until yesterday and then there were multiple reports. I'm not sure if this is a phpBB3 thing or an issue with the server caching or something else.

Has anyone else had a similar experience or aware of a misconfiguration that could trigger this?

Thanks for any insights.
-Brian

User avatar
KevC
Support Team Member
Support Team Member
Posts: 68318
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Crossed Logins - users suddenly logged in under another username

Post by KevC » Tue Mar 20, 2018 2:35 pm

It's caused by your hosts using caching on Cloudflare or Varnish on the server. It's caching the sessions so the next person can use the previous one if it hasn't expired. You need to get on to them.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

tbird65
Registered User
Posts: 4
Joined: Tue Mar 20, 2018 2:18 pm

Re: Crossed Logins - users suddenly logged in under another username

Post by tbird65 » Tue Mar 20, 2018 5:51 pm

I received the following back from OLM:
Were not using cloudflare or Varnish, we're using NGINX and we
have used nginx for a few years and never received complaints
about other phpbb... installations.

A few years ago we use to have to make a manual adjustments
so that the phpbb parsing could see the visitors realip, but
that's not the case anymore.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 20121
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: Crossed Logins - users suddenly logged in under another username

Post by Mick » Wed Mar 21, 2018 9:11 am

Your Cookie domain shows (unset) - it requires an entry. (It should be .vintagethunderbirdclub.net)
Cookie secure shows Disabled and it should be Enabled if you’re using SSL.

See Knowledge Base - Fixing incorrect cookie settings
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.

User avatar
3Di
Registered User
Posts: 12946
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Crossed Logins - users suddenly logged in under another username

Post by 3Di » Wed Mar 21, 2018 10:37 am

Are you using Tapata*k?
Want to compensate me for my interest? Donate
Please PM me only to request paid works. Thx.
Extensions, Scripts, MOD porting, Update/Upgrades
My development's activity º PhpStorm's proud user

tbird65
Registered User
Posts: 4
Joined: Tue Mar 20, 2018 2:18 pm

Re: Crossed Logins - users suddenly logged in under another username

Post by tbird65 » Thu Mar 22, 2018 5:10 pm

Mick- I had the cookie domain set properly, but then removed it based on the screen saying it was optional when initially trying to diagnose things. I just added it back. I enabled "Cookie secure."

3Di, The only extension I'm using is one for opening external links in new windows.

I noticed the Server protocol was https, but the port was still set to 80 so I changed that to 443.

No new reports of crossed logins for now. We'll see.

Thanks.
-Brian

tbird65
Registered User
Posts: 4
Joined: Tue Mar 20, 2018 2:18 pm

Re: Crossed Logins - users suddenly logged in under another username

Post by tbird65 » Fri Apr 13, 2018 2:42 pm

Unfortunately after a few good weeks, I got another report of a crossed login this morning. Apparently OLM has other clients running phpBB and we're the only client reporting this issue.

User is staying logged in from device to device & session to session. They clicked into one forum and their listed username changed, but once they clicked a specific post or to the user control panel, the correct username was shown.

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10313
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Crossed Logins - users suddenly logged in under another username

Post by Noxwizard » Fri Apr 13, 2018 3:42 pm

There are two situations where this happens:
  1. Your host sets up a proxy in front of your site. You can tell this by looking at the Who Is Online list and seeing if every user has the same IP (usually the IP of the proxy). The proxy can be their own hardware or something like CloudFlare. The host needs to configure the proxy or web server to correctly reset the client IP header.
  2. Your host sets up caching on the server. This can be harder to spot if the debugging information isn't made available in the response headers. The host needs to configure the proxy to not cache user sessions. This is usually application specific, which is why you can't just roll out a cache without tuning it to your customers' needs.
From the response headers on your site, I see that your host is using nginx's caching mechanism: x-nginx-cache-status: MISS
If it hasn't been tuned at all, they're probably caching logged-in user sessions, which they should not do. We run Varnish on this site, but we don't cache the response to a request which contained cookies to avoid that kind of problem.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.

Post Reply

Return to “[3.2.x] Support Forum”

Who is online

Users browsing this forum: Baidu [Spider], EA117, rogerio24, shortmort37 and 34 guests