Jump to content

Members getting logged in as other members, seeing their PMs, etc


Meddysong
Go to solution Solved by Jim M,

Recommended Posts

This isn't about one of my own licenses but about a community I'm a member of. It appears to have been upgraded yesterday. (I assume to 4.7.4. The admin doesn't seem interested enough to know how to make beta releases available.)

There have been all sorts of problems with members (including me) showing as logged in as other members. The admin has responded that it was a caching issue, and now people are posting as themselves again, so the situation has apparently been resolved. It seems clear from comments that members have been reading other members' PMs, and accessing protected areas of the site where a particular member group speaks in the expectation that conversations are not viewable elsewhere.

It might be that this is a fault that you're aware of and have corrected. If not, it seems a massive cause for concern if it's something which might occur on other communities.

I've recorded a video of me navigating the site this morning and showing as three different users depending on which link I click (forum category/topic/last post). If somebody from IC would like to contact me, I'd be happy to share it and details of the site if further investigation is required.

Link to comment
Share on other sites

  • Solution

This would be server caching doing something it is not supposed to. It either was caching whole pages or sessions which results in the behavior you’re describing. This would have been a server configuration fault by the server administrator of the site rather than a software issue. We would never expose other users information in a manner like this. 

Link to comment
Share on other sites

40 minutes ago, Jim M said:

We would never expose other users information in a manner like this. 

Not intentionally, no, which is why I thought I should raise it! If you're confident that it's nothing do with the software (and the admin there did indeed say "caching issue"), feel free to delete this entire topic, Jim, in case somebody somewhere misrepresents it. ("I heard that ... ")

Link to comment
Share on other sites

We are indeed confident in this. Its only shown to the logged in session. So the only way that can happen is if that session data is being cached by the server, which it shouldn't be doing. If its been corrected by clearing cache, that will only correct it temporarily, so they would indeed need to ensure session data isnt being cached

Link to comment
Share on other sites

This sounds like the other site is using a CDN that is actually caching the base pages.  

With a CDN...  if the caching rules are not setup correctly...  if I come to the site and visit a page logged in as me, it stores that page...  INCLUDING all the content that I see on the page.  The next person that comes along that connects to the same CDN server gets served the same page instead of going back to the origin. 

This is why if you do use a CDN, you must either not cache base pages OR configure it to ignore cache for logged in users.  🙂

Link to comment
Share on other sites

2 hours ago, Randy Calvert said:

This sounds like the other site is using a CDN that is actually caching the base pages.  

With a CDN...  if the caching rules are not setup correctly...  if I come to the site and visit a page logged in as me, it stores that page...  INCLUDING all the content that I see on the page.  The next person that comes along that connects to the same CDN server gets served the same page instead of going back to the origin. 

This is why if you do use a CDN, you must either not cache base pages OR configure it to ignore cache for logged in users.  🙂

Ding ding ding, that's pretty much exactly what the admin on the site has said, Randy! 🙂

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...