Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Wrong user being logged in

Hello,

We're running Vanilla Version 2.0.17.8 and recently we noticed when we log in sometimes we're logged in as a completely different user (not the user we logged in with). And we've heard from other users that when they log in they are also being logged in as the wrong user. Have anyone else run into this issue?

We tried to upgrade to the latest version of Vanilla thinking that might help, following the official instructions here http://vanillaforums.org/docs/installation-upgrade but that completely deletes all the content / discussions / comments on the website!

Any ideas what we can do?

Answers

  • I can even post as other users by logging into my account. It's random too - I'll log in and I'll be logged in as User X (not me) and can post discussions as them. Sign out and back in and I'll be logged in as User Y. Could this be an issue with server side sessions or something?

  • Suggestion - pursue working on upgrade, instead of wasting your time with an old version

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • 422422 Developer MVP

    Sounds like authentication issue.

    Are you embedded ?

    There was an error rendering this rich post.

  • peregrine said:
    Suggestion - pursue working on upgrade, instead of wasting your time with an old version

    And here is the link to the thread of the non-working upgrade:

    http://vanillaforums.org/discussion/19928/how-to-upgrade

    I'll try to help you in the upgrade thread, I'll ask a few questions over there first...

    There was an error rendering this rich post.

  • Ok - I'm going to give updating a try again.

    @422 what do you mean 'embedded'? I'm running the standalone version of Vanilla if that's what you're referring to?

  • I think 422 means with embedded that it's linked inside WordPress, which is not the case with your site :-)

    There was an error rendering this rich post.

  • @UnderDog, oh ok. Yea we're not doing any linking with WordPress for this forum. We've done the update to version 2.0.18.4, and are currently running some tests to see if that cleared up the incorrect user login issue. Will post back what we find..

  • peregrineperegrine MVP
    edited April 2012

    I bet it did. Aren't you glad you tried again.

    edit after seeing your followup, I am glad I didn't bet anything valuable as collateral.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • OK - we've run some tests and Vanilla is still logging people in as the wrong user. We're using the default theme, and running the latest Vanilla (2.0.18.4). We're only using the default plugins,

    Attached are some screenshots showing the behavior. Here we've logged in as the admin (primary/initial) user 'Andrea'. Image 01 shows that despite logging in as Andrea, Vanilla thinks we are user 'rtraves'. Refreshing the page (image 02) shows that we're logged in as user 'DarleneWard'. We can post discussions as both these users too. However, sometimes Vanilla thinks we are other users too. When other users try and log in Vanilla does the same and thinks they are other people. One user even told us Vanilla logged them in as Andrea, the super admin and they were able to access the dashboard!!

    Lastly, image 03 shows that when we try and log out Vanilla does finally show that the user 'Andrea' was in use.

    Note: This forum is used as a private / internal forum for an organization. So all users are behind a single firewall and all share the same internal IP range. HOWEVER - If I log in from an external computer (not on their network) I can unable to reproduce the incorrect user bug - I am always logged in as the correct user.

    Anyone else seeing this behavior or have any suggestions? Thanks!

    Image 01 - http://imagebin.org/209841
    Image 02 - http://imagebin.org/209842
    Image 03 - http://imagebin.org/209843

  • peregrineperegrine MVP
    edited April 2012

    some ideas.

    check and see if two users have the same session id, the musical chairs probably occurs from the last access from an individual.

    take a look in the session table and look at the transient keys and session keys. Could be a case of users getting sessions from a previous ip address.

    Also check the contents of your vanilla cookies.

    you could try emptying the session table first and then see how it fills up.

    Are you sure your NAT is not fouling it up, or the timing in the reuse of ip addresses.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Hi @peregrine,

    The GDN_Session table is empty. Should it be full?

    And users do have cookies being stored, they all just have one big cryptic string of characters for the cookie value.

    What am I looking for with regards to the session table and cookies?

    We've inquired with the organization IT department to see if something is up with their NAT. And will report back with their reply.

    Thanks for your ideas and feedback!

  • peregrineperegrine MVP
    edited April 2012

    I assume the table inserts an entry or entries when somebody logs in. I was thinking of this scenario - I was just venturing a guess the sessions might be "highjacked" because of sequential users getting the same ip. Not really sure. I hope you are not testing multiple users on the same computer simultaneously - because I don't think that will ever work. You might check into the DHCP (see if its working properly) also if you use it.

    I am just guessing at all this I don't have a solution, just seeing if you can find a pattern.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • OK - We've corrected the issue by disabling caching on the network router that the organization uses. Again, only uses within said network were being logged in as incorrect users.. this quote from their IT sums up what the issue was..

    "Well, this is fun! I connected to the forum and started looking around and in a short time I became Andrea. So I kept opening other pages and all of a sudden I became another user. A few more pages and I was back to being Andrea. It was amazing.

    I talked with our network manager and he blocked the forum from being cached by our firewall. All of a sudden the fun came to a screeching halt, no more assumed identities."

    Should I file a bug with the Vanilla team? I would assume other organizations / firewall users may run into this same type of issue?

  • peregrineperegrine MVP
    edited April 2012

    It's an interior organization problem, not a bug with vanilla, from what you are saying.
    It would have been interesting to have lots of users at your interior site logging in to some other interior applications(that is used heavily inside your network)and has sessions to see if you also had the same results). glad you solved it and you're on the new version.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

Sign In or Register to comment.