Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.

strange problem : login as another user

+3 votes
622 views
asked Oct 27, 2016 in Q2A Core by civil.engineer
edited Nov 3, 2016 by civil.engineer

hello guys

I searched but couldnt find any problem like this, so that any solution. My members  sometimes login as another member. They can change their account, they can ask as another member.

to explain clearly, for example I registered here as civil.engineer; I posted questions, some answers etc. after 1 week i try to login but it doesnt ask me the username or password. it  automatilacally log me in as another member ( for example Jackson) and i can continue as Jackson on the website and can ask questions, answer, also can change Jackson's all account informations include his password.

Thats a big problem, what can be the reason ?

Edit : My hosting company upgraded php from 5.3 to 5.4. This problem occured after this. I transfered my site to another server which php 5.3 and reloaded my backup.  After all, I thought it is ok, the problem is solved. But it is still contiuning. Becaue old logins as another user, probably has the cookies and still continue. Yesterday my friend called me and said I login as admin. It was my friend but if is not, he could blow up my q2a :) 

What can I do ? May be make logout all users will solve this problem but how can I do ? 

I believe the solution on mysql database but I dont know where to check. 


thanks

commented Nov 6, 2016 by arjunsuresh
@pupi I agree. "open-login" could be the possible culprit. Because I had this problem at some point of time but not very severe as it happened only once or twice. I don't know how it got fixed but as of now I don't have this issue. May be the upgrade fixed it as I had this issue when I was using 1.6.3 or 1.7.0 and now using 1.8. Not sure open-login plugin was upgraded in between. Moreover I use only facebook/google and only a minute number of users login via these and majority uses normal login. May be this bug still exist.
commented Nov 30, 2016 by teju2friends
Arjun, I still face this issue.. Any suggestions?

7 Answers

+1 vote
answered Oct 27, 2016 by civil.engineer
to explain clearly, for example I registered here as civil.engineer; I posted questions, some answers etc. after 1 week i try to login but it doesnt ask me the username or password. it  automatilacally log me in as another member ( for example Jackson) and i can continue as Jackson on the website and can ask questions, answer, also can change Jackson's all account informations include his password.

Thats a big problem, what can be the reason ?
commented Oct 27, 2016 by Arjun Suresh
Well I don't know exactly but I had once faced this issue long back but couldn't investigate further. Anyway it is better for you to go straight to q2a 1.8 as it is much faster and has lot more features. Or go for Q2A 1.7.4
0 votes
answered Nov 3, 2016 by civil.engineer
hello any other idea, solution  advice?
commented Nov 5, 2016 by q2a.info
I dont think this is issue with Q2A v1.6.3.  Can you share your site. we can look into what is causing issue.
+1 vote
answered Nov 30, 2016 by teju2friends
edited Nov 30, 2016 by teju2friends

I am on 1.8, with open login for FB & Google.
Native registration still enabled...

My users reported this while doing native registration.

Bug is like this ... Who logs in last, their user name is taken by next person...

May be a rough guess, it happens only if users crosses 1024 magic number..

I deleted all spam users to bring down user count < 1024, issue is no more appearing.  But more users will register soon & problem will appear again.


Facing same issue...
Any solution for this???

Update 3: I tried disabling  Open-login plugin. Cleared all cache. But issue still remains. This seems to be problem with core

Update 2: Is it something to do with Session ID generation ??

Update 1: Error log from server

[25-Nov-2016 05:03:25 America/Denver] PHP Fatal error:  Uncaught exception 'Hybrid_Exception' with message 'You cannot access this page directly.' in /mydomain/qa-plugin/q2a-open-login-master/Hybrid/Endpoint.php:211
Stack trace:
#0 /mydomain/qa-plugin/q2a-open-login-master/Hybrid/Endpoint.php(117): Hybrid_Endpoint->authInit()
#1 /mydomain/qa-plugin/q2a-open-login-master/Hybrid/Endpoint.php(51): Hybrid_Endpoint->processAuthStart()
#2 /mydomain/qa-plugin/q2a-open-login-master/Hybrid/Endpoint.php(72): Hybrid_Endpoint->__construct(NULL)
#3 /mydomain/qa-plugin/q2a-open-login-master/qa-open-login.php(137): Hybrid_Endpoint::process()
#4 /mydomain/qa-include/qa-page.php(102): qa_open_login->check_login()
#5 /mydomain/qa-include/qa-page.php(822): qa_check_login_modules()
#6 /mydomain/qa-include/qa-index.php(194): require( in /home5/pulsetho/public_html/theupsconline/qa-plugin/q2a-open-login-master/Hybrid/Endpoint.php on line 217

commented Nov 30, 2016 by teju2friends
Updated error log from server
commented Nov 30, 2016 by teju2friends
Any one for help,,,,:(
+1 vote
answered Dec 1, 2016 by Scott
You said you are using v1.8 and mention the cache. Are you talking about the browser cache, or the new caching feature in Admin>Caching?

If it's the latter can you try disabling it and see if it resolves the issue?

I found a small issue with that feature the other day. I don't think it should affect your situation but it is a possibility.

PS sorry for the late reply, somehow I missed this question.
commented Dec 2, 2016 by teju2friends
Hi, I tried disabling server caching ( & removed settings from config files). But problem never solved.
Now I am seeing this problem in 1.74 core, no plugins (login related) installed.
+5 votes
answered Dec 3, 2016 by pupi1985

It seems this issue is related to hosting companies performing an aggressive and extremely naive caching. You can see HTTP headers like the following ones in your request:

X-Cacheable: NO:Not Cacheable
X-Served-From-Cache: Yes

This chaching seems to be activated when some limit (bandwidth, disk access, CPU, etc) is reached. This is usually related to shared hosting and seems to be a way to turn (force?) you into paying for a VPS, which won't be subject to that "throttling" as they call it.

This thread mentioned this issue in Host Gator:

https://community.mybb.com/archive/index.php?thread-153267.html

I can confirm this is also happening in Bluehost.

commented Dec 4, 2016 by Scott
Wow that's crazy, and downright *dangerous*. Q2A outputs headers specifically to prevent caching.

At least, if I'm not mistaken, it wouldn't allow someone who appears to be logged in as 'admin' to be able to actually execute any admin functions - as they wouldn't have the true admin cookie. But they could still view anything the admin could.
commented Dec 4, 2016 by pupi1985
I can't confirm if users that (unintentionally) impersonate admin users can change the settings. However, I can confirm that they can post/answer questions as the users they impersonate.

This even happens with paid plans for shared hosting, not just the free ones.
commented Dec 4, 2016 by Scott
Hmm OK, sounds like there's more to it than just the caching. I suppose if the host's caching also caches any "Set-Cookie" headers, that would actually gift the user someone else's cookie, so log them in as another user.
0 votes
answered Oct 14 by fahimalfarhan
same problem here.please help me to solve this.
...