HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Users seeing other user data when logged in?
LeftBrain
✭✭
Hello,
I'm using Vanilla 3.3 and have had my forum going on for a long time. Recently (I haven't made any changes as far as I know), I've gotten reports from 2 users that when they sign in as themselves, they get access to someone else's account.
Any idea what is going on and how to fix it?
I personally haven't seen the problem but some of my frequent users have.
thanks
Perry, 44
0
Comments
Are you using any kind of web accellerator/cache or reverse proxy (e.g. varnish)?
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
Not that I know of. My web guy may have put up some cache or something though. I'll check.
Would that affect things?
A wrongly configured reverse proxy (intended to cache pages only for guests) may cache pages from logged in users and serve them to others. This would not mean that the users are actually logged in under someone elses account, just that they see wrong information.
But if those users can actually act on behalf of the other account (make POST requests, e.g. adding a comment), this is not a cache problem, but with authentication. Do you have any SSO solutions enabled, e.g. OAuth or jsconnect?
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
Thanks. I talked to my server guy and he said he did put a cache on the site recently, so perhaps that was what was causing the problem. And people were just seeing other users posts. They weren't able to change anything like post in their name or adjust profile.