Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.

Emergency Help reqired on 'Login as other user'. Ready to Pay

+2 votes
284 views
asked Nov 30, 2016 in Q2A Core by teju2friends
edited Dec 4, 2016 by teju2friends

I am facing issue with my site. Please help me.

Its an emergency :'(

http://www.question2answer.org/qa/54400/strange-problem-login-as-another-user

----------------------------------------------------------------------------------------------------------------------

Update 1: I have migrated back to 1.74 (with all user credentials reset)

Its pure core q2a. No other authentication user plugin used. STILL problem exists.

Last registered user account will be logged in to someone else...!!!

----------------------------------------------------------------------------------------------------------------------

Update 2 : Finally, Issue got resolved.

Special Thanks to @pupi1985 who digged into root of the  issue :)

The issue was with Shared hosting. Server was serving cached data!

Response header containing flag X-Served-From-Cache : Yes

Solution: Move out of Shared hosting to VPS!

PS: For 1.8 release, can we add this check during installation process to stop user installing on such servers?

-----------------------------------------------------------------------------------------------------------------------

Q2A version: 1.8
commented Dec 1, 2016 by teju2friends
Any updates ....

3 Answers

+3 votes
answered Dec 1, 2016 by sama55
edited Dec 1, 2016 by sama55

This is my reasoning, so it may not be correct. But I would like to show you one solution.

If there is any bug in the open login plugin, you should delete it. However, deleting the plugin will not solve the login problem. Because, if the user checked "remember" option on the login page, session (login) data will be stored in the user's machine (cookie) for one month. If the user visits your site again, Q2A will automatically log in using incorrect login data.

I think there are several ways to solve this problem. The easiest way is to temporarily change Q2A session variables. Incorrect login data on the client (cookie) expires after one month. Therefore, you can restore the core program after one month.

How to change core program:

  1. Open qa-include/app/users.php with any text editor
  2. Replace from "'qa_session" to "'qa_session_temp" (Those lines will be 15)

Example of L198:

//setcookie('qa_session', $handle.'/'.$sessioncode.'/'.($remember ? 1 : 0), $remember ? (time()+2592000) : 0, '/', QA_COOKIE_DOMAIN, (bool)ini_get('session.cookie_secure'), true);
setcookie('qa_session_temp', $handle.'/'.$sessioncode.'/'.($remember ? 1 : 0), $remember ? (time()+2592000) : 0, '/', QA_COOKIE_DOMAIN, (bool)ini_get('session.cookie_secure'), true);

I can not compensate you for your damage due to this change. Therefore, you must do this on your own risk. However, this measure may be useful if you are in trouble.

commented Dec 1, 2016 by teju2friends
Thanks for the response.

Now user will get automatically longed in to random account when they click on 'Register' or 'Login' button (without filling the username & password) for first time.

But once they log out, everything works normal.

I tried installing new browser to eliminate cache/cookie possibility.

Any solution/workaround for this?
commented Dec 4, 2016 by teju2friends
@sama55, Thanks for the help. :)
+3 votes
answered Dec 4, 2016 by Scott
Glad you found your answer. I don't know who your host is but what they have done is a huge security breach so I wouldn't trust them, even with a VPN! At worst all they should do in this situation, when a site gives a no-cache header, is return an error page.

As to your question, I don't think there would be any way to check if a server will have this problem. Most shared servers do not do this caching thing, plenty of people have used Q2A on shared servers and no one has come across this problem before.
commented Dec 5, 2016 by teju2friends
@Scott, thanks for your efforts building this platform.
0 votes
answered Jul 6 by vivian
edited 11 hours ago by vivian
Me too got the same problem after installing the chat master plugin. I am using 1.7.5 version on a shared hosting. Open Login is also there. It's the first time I am seeing this problem. So I deleted the plugin. Still problem is there. I contacted the hosting company and they told they don't use any caching on shared hosting. I asked them whether they are using Ngnix fastcgi to serve static pages. There main server is Ngnix and application server is Apache. They replied me to add these to .htaccess file.

Header set Cache-Control "max-age=0, private, no-cache, no-store, must-revalidate"

Just added the thing to htaccess.

Update: still the problem is there even on 1.8. Now deleted open login. Waiting to see whether it is happening again or not. So a VPS is a must for using q2a?!!
commented 9 hours ago by vivian
Hosting company is saying again that they don't have any kind of caching on Apache (cpanel ) hosting as default.

They are suggesting to change the setting of cache expire time or check the site's code.

According to them a VPS can't make any change.
...