Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+3 votes
2.9k views
in Q2A Core by
edited by

hello guys

I searched but couldnt find any problem like this, so that any solution. My members  sometimes login as another member. They can change their account, they can ask as another member.

to explain clearly, for example I registered here as civil.engineer; I posted questions, some answers etc. after 1 week i try to login but it doesnt ask me the username or password. it  automatilacally log me in as another member ( for example Jackson) and i can continue as Jackson on the website and can ask questions, answer, also can change Jackson's all account informations include his password.

Thats a big problem, what can be the reason ?

Edit : My hosting company upgraded php from 5.3 to 5.4. This problem occured after this. I transfered my site to another server which php 5.3 and reloaded my backup.  After all, I thought it is ok, the problem is solved. But it is still contiuning. Becaue old logins as another user, probably has the cookies and still continue. Yesterday my friend called me and said I login as admin. It was my friend but if is not, he could blow up my q2a :) 

What can I do ? May be make logout all users will solve this problem but how can I do ? 

I believe the solution on mysql database but I dont know where to check. 


thanks

by
I don't think this is related to Q2A. You have not mentioned how you are authenticating your users (e.g.: are you using external users?). You have not provided step by step instructions on how the backup was created and how it was restored either. Also you haven't mentioned if you have made any core modifications. You mentioned cookies, but this makes me wonder: did these users have previously logged in with the user they were unexpectedly logging in? (e.g.: has your friend logged in as "admin" before?)

With so little information the issue is hard to guess. All I can say with this info is that the backup/restore process failed somehow.
by
first aff all; thanks for your answers.

what dou you mean by "external users?"  I use normally q2a registration and  signing up by facebook, twitter  or linkedin. not anymore type of  registeration. by hte way my theme is qawork.

backing up and reloading it made by hosting company. the back up fully ( both files on host and mysql database) I hadnt a problem about my other websites which is mybb or wordpress like this one.

I didnt do any core modification.

About your last question; lets give an example. I logged as another user in firefox, chrome and ie I had the problem in all browsers both desktop and mobile. . After I loaded the backup and make my php 5.3 again; I delete all cookies on chome and ie.  I try to log and it logged me in my account. No problem. But I didnt delete the cookies on firefox and I try to  sign in and it make me log in another user again.  When I delete cookies no problem. One more strange situation is, when I check the paswords on the browser, there is no password of the account of another user which I logged in.

Sorry for my bad english; I hope I could explain it.

This night I will upgrade my q2a; I hope it will help me to fix it.
by
edited by
External users means the username, password, and all user data is stored in a separate DB, for example, in WordPress, and Q2A uses those users. I don't think you're using that. If you're using LinkedIn to register/login then you must have downloaded the q2a-open-login plugin. Maybe the issue is in there.

Regarding the backup, I wouldn't remove that as possible reason either but seems to be less likely now.

Regarding the upgrade to 1.8 I don't think it will solve the issue. The closest thing to your issue is that there have been changes in how passwords are stored. I don't think that has anything to do with this anyway.

Without having step by step instructions on how to reproduce it locally there isn't much I can do. I mean, I have logged in many times with the same and different users in the same and different browsers and never faced that. However, I never used the q2a-open-login plugin. If more people report this and happens to be using it then it is a good place to start. I'd pay more attention to what provider (LinkedIn, Facebook, etc) are using the users that face this issue, or maybe if the same user is using more than one provider, and what providers are using the users that get somehow mixed. Just trying to find some pattern there.
by
@pupi I agree. "open-login" could be the possible culprit. Because I had this problem at some point of time but not very severe as it happened only once or twice. I don't know how it got fixed but as of now I don't have this issue. May be the upgrade fixed it as I had this issue when I was using 1.6.3 or 1.7.0 and now using 1.8. Not sure open-login plugin was upgraded in between. Moreover I use only facebook/google and only a minute number of users login via these and majority uses normal login. May be this bug still exist.
by
Arjun, I still face this issue.. Any suggestions?

6 Answers

+1 vote
by
to explain clearly, for example I registered here as civil.engineer; I posted questions, some answers etc. after 1 week i try to login but it doesnt ask me the username or password. it  automatilacally log me in as another member ( for example Jackson) and i can continue as Jackson on the website and can ask questions, answer, also can change Jackson's all account informations include his password.

Thats a big problem, what can be the reason ?
by
Well I don't know exactly but I had once faced this issue long back but couldn't investigate further. Anyway it is better for you to go straight to q2a 1.8 as it is much faster and has lot more features. Or go for Q2A 1.7.4
0 votes
by
hello any other idea, solution  advice?
by
I dont think this is issue with Q2A v1.6.3.  Can you share your site. we can look into what is causing issue.
+1 vote
by
edited by

I am on 1.8, with open login for FB & Google.
Native registration still enabled...

My users reported this while doing native registration.

Bug is like this ... Who logs in last, their user name is taken by next person...

May be a rough guess, it happens only if users crosses 1024 magic number..

I deleted all spam users to bring down user count < 1024, issue is no more appearing.  But more users will register soon & problem will appear again.


Facing same issue...
Any solution for this???

Update 3: I tried disabling  Open-login plugin. Cleared all cache. But issue still remains. This seems to be problem with core

Update 2: Is it something to do with Session ID generation ??

Update 1: Error log from server

[25-Nov-2016 05:03:25 America/Denver] PHP Fatal error:  Uncaught exception 'Hybrid_Exception' with message 'You cannot access this page directly.' in /mydomain/qa-plugin/q2a-open-login-master/Hybrid/Endpoint.php:211
Stack trace:
#0 /mydomain/qa-plugin/q2a-open-login-master/Hybrid/Endpoint.php(117): Hybrid_Endpoint->authInit()
#1 /mydomain/qa-plugin/q2a-open-login-master/Hybrid/Endpoint.php(51): Hybrid_Endpoint->processAuthStart()
#2 /mydomain/qa-plugin/q2a-open-login-master/Hybrid/Endpoint.php(72): Hybrid_Endpoint->__construct(NULL)
#3 /mydomain/qa-plugin/q2a-open-login-master/qa-open-login.php(137): Hybrid_Endpoint::process()
#4 /mydomain/qa-include/qa-page.php(102): qa_open_login->check_login()
#5 /mydomain/qa-include/qa-page.php(822): qa_check_login_modules()
#6 /mydomain/qa-include/qa-index.php(194): require( in /home5/pulsetho/public_html/theupsconline/qa-plugin/q2a-open-login-master/Hybrid/Endpoint.php on line 217

by
So third person to face this issue who also has the open-login plugin installed (which happens to log people in). You should at least file an issue in the GitHub project and see if the developer can help somehow
by
https://github.com/alixandru/q2a-open-login/issues/75

Raised a issue... But I am afraid, it could be too late to find solution & too fast to beat 1024 user limit :(
by
Updated error log from server
by
Any one for help,,,,:(
+1 vote
by
You said you are using v1.8 and mention the cache. Are you talking about the browser cache, or the new caching feature in Admin>Caching?

If it's the latter can you try disabling it and see if it resolves the issue?

I found a small issue with that feature the other day. I don't think it should affect your situation but it is a possibility.

PS sorry for the late reply, somehow I missed this question.
by
Hi, I tried disabling server caching ( & removed settings from config files). But problem never solved.
Now I am seeing this problem in 1.74 core, no plugins (login related) installed.
+5 votes
by

It seems this issue is related to hosting companies performing an aggressive and extremely naive caching. You can see HTTP headers like the following ones in your request:

X-Cacheable: NO:Not Cacheable
X-Served-From-Cache: Yes

This chaching seems to be activated when some limit (bandwidth, disk access, CPU, etc) is reached. This is usually related to shared hosting and seems to be a way to turn (force?) you into paying for a VPS, which won't be subject to that "throttling" as they call it.

This thread mentioned this issue in Host Gator:

https://community.mybb.com/archive/index.php?thread-153267.html

I can confirm this is also happening in Bluehost.

by
Wow that's crazy, and downright *dangerous*. Q2A outputs headers specifically to prevent caching.

At least, if I'm not mistaken, it wouldn't allow someone who appears to be logged in as 'admin' to be able to actually execute any admin functions - as they wouldn't have the true admin cookie. But they could still view anything the admin could.
by
I can't confirm if users that (unintentionally) impersonate admin users can change the settings. However, I can confirm that they can post/answer questions as the users they impersonate.

This even happens with paid plans for shared hosting, not just the free ones.
by
Hmm OK, sounds like there's more to it than just the caching. I suppose if the host's caching also caches any "Set-Cookie" headers, that would actually gift the user someone else's cookie, so log them in as another user.
...