Blog Documentation Try Vanilla Cloud
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Really weird...

geekdynamogeekdynamo
edited April 2006 in Vanilla 1.0 Help
Some really weird things have been happening around my community lately (running Vanilla 0.9.2). A few days ago, one of my members tried to log in but noticed that he was already logged in... under another user's account (these two users don't even know each other). He had not tried to log in under another account, nor had this happened to any other user (including me). Here's the really freaky part... When he found that he was logged in under another user, he had Master Administrative privileges. Neither of those accounts are Master Administrators! I've examined my databases and permissions, but can't find anything that would allow that kind of security problem. Another strange problem is that some users have to log in twice to view discussions, but others only have to log in once. I know this sounds unbelievable, but I'm not making it up. I have screenshots from a few users to prove it. Any suggestions?

Comments

  • Options
    nathannathan
    Um. I have no idea what would be causing this. What host are you using? Except the cookie thing, it could be someone on the same ISP that caused the user to already be logged in as someone else. As for Mast. Admin. That is scary and I have no idea.
  • Options
    lechlech Chicagoland
    When logging in, does your version of vanilla possibly throw the PHPSESSID into the url. On an off chance, my guess is that someone may have clicked a link giving away their session ID which in turn "logged" them in as another user.
  • Options
    MarkMark Vanilla Staff
    Lech might be onto something, check out this discussion: http://lussumo.com/community/discussion/1155/?Focus=14866#Comment_14866
  • Options
    geekdynamogeekdynamo
    edited March 2006
    Lech: Sometimes I see PHPSESSID, but sometimes I don't. I hadn't thought of that before... Hmm... I still think it's something in the databases because I recently moved to a new server on the same host. Something may have happened when I transferred the DB tables. Any other suggestions?
  • Options
    lechlech Chicagoland
    edited March 2006
    If you are indeed seeing PHPSESSID's in the URL bar, then that's definatly part of your problem with users getting logged in as one another. Fixing it or requesting a fix for the php configuration is a must if you wish to resolve this and weed out any other possible problems.
  • Options
    geekdynamogeekdynamo
    OK... I contacted my host and asked them to verify PHP versions and packages on my server. They said that everything checks out and there's nothing they can do... Any other options?
  • Options
    lechlech Chicagoland
    Lech: Sometimes I see PHPSESSID, but sometimes I don't. I hadn't thought of that before... Hmm...

    Ok, that doesn't answer the question, are you or are you not seeing PHPSESSID in your urls still? if you see at least one, that means the problem is there, even if it's popping up every other or on rare page views. Click through every link you can find in your vanilla setup, if you see PHPSESSID strings in the url ANYWHERE, your host has some php configuration to do in order to correct the problem.

    look here at the details mark has suggested. It's not as easy as checking out the version and packages on the server, it's the configuration of php itself.
  • Options
    geekdynamogeekdynamo
    OK... Forgive me if I've been a bother. And thanks for being patient with me. :-) I'm going to install a separate copy of Vanilla to see if this is still occurring because I have a feeling this is what my host will ask me to do anyway. They will not check server-side PHP settings without a definite error. Without one, they think it's simply a Vanilla bug.
  • Options
    ithcyithcy New
    simple... add an extension that pops out a php error message if PHPSESSID is found in the query string =) then they'll be forced to check
  • Options
    geekdynamogeekdynamo
    edited March 2006
    OK... I've checked every page within the new install... I don't see PHPSESSID in any of the URLs. It can't be the PHP configuration on the server...
  • Options
    lechlech Chicagoland
    Hmm, ok, if it's not php or apache, I'm inclined to ask which version of mySQL you're running. If it's 5.x it may shed some light onto the subject. Mainly how it's even running at all :) but it could help us diagnose things further unless the errors have somehow magically cleaned themselves up over the course of the past few nights.
  • Options
    geekdynamogeekdynamo
    edited March 2006
    OK... My server is running MySQL 4.0.25. Interestingly, however, I'm not seeing PHPSESSID in any of the URLs now... But, as I said before, they pop up when I'm least expecting them.
  • Options
    MarkMark Vanilla Staff
    To be sure:

    Open up appg/headers.php and change this:

    // REPORT ALL ERRORS error_reporting(E_ALL); ?>

    to this

    // REPORT ALL ERRORS error_reporting(E_ALL); // DO NOT ALLOW PHP_SESS_ID TO BE PASSED IN THE QUERYSTRING ini_set('session.use_only_cookies', 1); ?>
  • Options
    geekdynamogeekdynamo
    Thanks, Mark!
  • Options
    geekdynamogeekdynamo
    OK... Bad news... It has started happening again... Even after having implemented that code.
  • Options
    geekdynamogeekdynamo
    (bump)
  • Options
    MarkMark Vanilla Staff
    I'm not quite sure what to tell you. Without testing things out on your server myself (which would require a lot of security access) I can't tell you why it's acting so wierd. I *can* guarantee that it has something to do with your server's configuration and has nothing to do with Vanilla's configuration.
  • Options
    ithcyithcy New
    edited April 2006
    you can also try
    ini_set("url_rewriter.tags",""); ini_set("session.use_trans_sid", false);

    or just the first one
This discussion has been closed.