members being logged into the wrong account

[Mommy]

Hi.  I am new to all of this and we have just had a problem develop on a board I inherited.  Members are being logged into accounts that are not theirs.  They have full reign while logged in as though they were this other user.  I know of at least one instance where they have been logged in as the admin users.

What info can I supply you with to help me solve this? 
We are using version SMF 1.1.2

Thanks!
Mommy

[Smurfbutcher Bob]

(Only thing I can think of is duplicate ID_Members? Primary key got screwed up in the schema?)

[Mommy]

(Only thing I can think of is duplicate ID_Members? Primary key got screwed up in the schema?)

Thanks for the reply...How would a person go about fixing that? 

I have changed templates today in the hopes that would "fix" it temporarily and I haven't heard anything (That doesn't mean of course that it's fixed).  We were using the smf default theme-core previously.

Like I said, I'm a real newbie to all of this.

[Smurfbutcher Bob]

I suspect it won't be a theme issue. I posted that to inspire someone with one of the few ways it might be happening.

Things I'd look for are:

1. Is it consistent, and how. Which of the following are true:
- The exact same users *always* end up with the wrong accounts. (Others never do. It always happens to me. It never happens to Fred.)
- The same user will *always* end up with the *same* wrong account. (I log on as me, I always end up as you. I never end up being Fred.)

2. When did this start happening. What was changed, before that.

3. Have you been able to encounter this issue. Have you been able to avoid it.

4. What mods are installed, if any.

Quite the puzzle, I must say!

[Mommy]

I suspect it won't be a theme issue. I posted that to inspire someone with one of the few ways it might be happening.  You are right--someone just posted that it happened again...

Things I'd look for are:

1. Is it consistent, and how. Which of the following are true:
- The exact same users *always* end up with the wrong accounts. (Others never do. It always happens to me. It never happens to Fred.)
- The same user will *always* end up with the *same* wrong account. (I log on as me, I always end up as you. I never end up being Fred.)

It seems to be random users getting random accounts.  We have had a few users tell us that they have accessed two or three other accounts, including those of admins. 

2. When did this start happening. What was changed, before that.
It started happening after the previous owner un-installed everything that was "hers" and left abruptly (read what you will into that  )

3. Have you been able to encounter this issue. Have you been able to avoid it.
The only way to avoid this seems to be to stay logged in. I have had this happen once but my account seems to get logged out on it's own.

4. What mods are installed, if any.
I am not familiar with all of the mods installed and I am not even sure where to begin looking.  Is there a simple way to find them?

Quite the puzzle, I must say! I agree, I hope someone here likes puzzles.

If this isn't a bug issue feel free to move me to where ever I will get help    Thanks so much!

[Smurfbutcher Bob]

Good recon job!

Okies, I'd suggest a re-install (same process as an upgrade). It sounds like the previous person uninstalled some stuff and things got hosed in the process (not necessarily malicious).

1. Head into the admin panel. Under "packages", you'll see a section that lists what mods are installed. Make a note of what they are.
(If you're lucky, there won't be many. Makes life easier when you're new )

1a. If you're familiar with FTP, make a temp directory on your local machine. Download a copy of the forum directory into it, as a backup. You'll want to make certain you get the forum root (index.php and settings.php), along with "/sources" and the entire "/themes" directory tree.  You can ignore the attachments directory, which is probably full of user-crud (and won't be touched, anyway).

2. Grab the WebInstall package - http://docs.simplemachines.org/index.php?topic=941.0

3. Instructions from there should guide you the rest of the way; you'll proceed as if doing an upgrade.

If you run into trouble during the update, no worries. Since you're basically overwriting files with... the same base versions, there should not be any major forum crashes as a result of an issue.

If an update fails, it is typically due to a modification. I'm not certain how the webinstaller deals with them, but worst case - uninstall the mods, do the upgrade without them, then install them back once everything is "sane" again.

Make sense?

[Mommy]

Make sense?  I think so. 

Am I going to have to take the board down to do this or will it be ok if users are logged in? (Sorry... was that my newbie I just flashed  )  I know there is one mod installed that was written specifically for our board.  Am I lost on that one if I have to reinstall mods? I don't have a copy of it as that went with the previous owner.

Is it better to make a backup from ftp or is it the same to use the backup within the admin panel?  Either way is doable. (This is a question for long term use too.)

Thanks so much, Mr. Bob!  You're a lifesaver!

[Smurfbutcher Bob]

Users will be booted during the process, and will get a "system upgrade in progress!" message.

For that one mod that went with the previous owner - if they uninstalled it, that might be your issue.

Okies, let's do some more recon -
First, get that mod list from the admin panel. Hopefully you'll recognize the custom one. If you don't... it might already be gone (and maybe even causing the issue).

Next, FTP. You'll see a directory called "Packages".  In that directory is the source for each modification that's installed.  Copy them to your local machine, and keep them safe. Hopefully, the custom mod will be there.

If it is, and you've grabbed it, then no worries.  Once the upgrade is complete, just see if the mod is still present. If not... install it via the "package" option in the admin panel.


As a side note - In the Packages directory, you'll see a directory called "backups". Every time a mod is installed, a gzip is made of the source just before, and just after the installation. The idea is that if a mod has completely hosed something up, you can use one of these to restore the files. They don't include the mod package itself, but the (original and resulting) forum source files. I'll leave the rest of this to your imagination, should you dare. (Pay attention to the time stamps! In theory, this might make the entire upgrade procedure completely unneeded. Heh. But, it may be a little messy, and I'm not certain of your comfort level. So, I'll leave that up to you - if you know what I'm thinking, you're probably giggling. If not... do the upgrade.)

For backups (ongoing) -

The backup in the admin panel is for the SQL stuff. I sometimes use that.

For the forum files, I made a password protected directory with a couple of php scripts. One of them makes a zip of the user data (attachments, avatars, etc); another makes a zip of the forum's source files. Another does a mysqldump, and zips that.  A machine in my basement then uses WGET (a command-line browser) to invoke the relevant script, and download the resulting zip file.  The user-stuff gets pulled every few days along with the SQL stuff. The forum source is only grabbed after I install something, since it should otherwise never change.

For FTP backups (by hand), remember you're only getting the forum files... not the sql data.  Most of the directories will never change unless you install a mod - so, sources... themes, etc, there's no real benefit to grabbing them each week. Unless YOU change those files, they stay the same. Certainly if some hacker changes them, you do NOT want that stuff backed up

Transient data (avatars, attachments, galleries, et al)... those you might FTP at some interval, along with the sql data. Again, you can use the "backup" feature to grab the smf data, or do a dump in phpMyAdmin, or some scripted solution. But... let's get the forum up, first

[Mommy]

bad news   The re-install did not seem to help.  I am going to gather more info from the users who have seen this.

Any other ideas?  Please help! 

I also installed 1.1.3 last night so we are current on that.

[Smurfbutcher Bob]

Ok, next test... compare to mine. Yours might be different, but hopefully it'll be close.

Admin -> Server Settings

In Core Config,
- Check that the "sources directory" is what you expect it should be.  After installing 113, though, it most likely is.
- Verify the "cookie name" is valid. Default is "SMFCookie" or something. No ampersands, exclamation points, tildas, etc.

In Feature Config...
- Default login cookie length is usually 60 minutes.
- Local storage and subdomain is unchecked.
- "Use database driven session" is generally checked.
- "Seconds before unused session timeout" is typically about 2880.

In Caching...
Make a note if caching is enabled. Then select "No Caching" if it's set to something else.


In "Features and Options", about halfway down the page is a checkbox for "Enable error logging". Turn it on.

Cruise down to the "Maintenance" section. Then,
- "Find and repair any errors".  Hopefully comes back with nothing major, except a few orphaned PMs (from deleted users).
- "Empty unimportant logs" - wipes a bunch of flotsam that might not be helping
- "Optimize Tables" - packs the tables.

Last step for debugging:
View the forum error log, and clear it. Anything that appears after this point is new, and could be relevant in helping to track this down.

[Simplemachines Cowboy]

When I first started my site, I had a user post a link in another board that included his session id.
That caused the same behavior you are describing; folks clicked in on his session id and became his user name.

I was lucky and able to have the link removed quickly, and then I set something else (that is lost in the mists of time) to help it.

I'll try to search some more & see if I can remember what I did.

Here it is:
http://www.simplemachines.org/community/index.php?topic=65199.msg450732#msg450732

[Mommy]

Ok, next test... compare to mine. Yours might be different, but hopefully it'll be close.

Admin -> Server Settings

In Core Config,
- Check that the "sources directory" is what you expect it should be.  After installing 113, though, it most likely is.
- Verify the "cookie name" is valid. Default is "SMFCookie" or something. No ampersands, exclamation points, tildas, etc.
All good
In Feature Config...
- Default login cookie length is usually 60 minutes. 90
- Local storage and subdomain is unchecked.
- "Use database driven session" is generally checked.
- "Seconds before unused session timeout" is typically about 2880.
All good
In Caching...
Make a note if caching is enabled. Then select "No Caching" if it's set to something else.
I see "SMF has not been able to detect a compatible accelerator on your server."  No caching

In "Features and Options", about halfway down the page is a checkbox for "Enable error logging". Turn it on.
already on

Cruise down to the "Maintenance" section. Then,
- "Find and repair any errors".  Hopefully comes back with nothing major, except a few orphaned PMs (from deleted users).  Done. you are correct. PM's only
- "Empty unimportant logs" - wipes a bunch of flotsam that might not be helping done
- "Optimize Tables" - packs the tables. 39 tables optimized.

Last step for debugging:
View the forum error log, and clear it. Anything that appears after this point is new, and could be relevant in helping to track this down.  Great

Thanks for the blow by blow on that one.

[Mommy]

When I first started my site, I had a user post a link in another board that included his session id.
That caused the same behavior you are describing; folks clicked in on his session id and became his user name.

I was lucky and able to have the link removed quickly, and then I set something else (that is lost in the mists of time) to help it.

I'll try to search some more & see if I can remember what I did.

Here it is:
http://www.simplemachines.org/community/index.php?topic=65199.msg450732#msg450732

This sounds exactly like what we had.  Non-lab setting users being logged in as other users.  Thanks for letting me know we aren't crazy.    I'm not sure I followed how you fixed it. (then again, it's midnight and I might see it when I look in the morning haha)

[Mommy]

So we did a bit more tonight than just re-install from an upgrade.  We started having trouble with the mods not wanting to install so we started fresh.  Deleted all mods and unused templates down to the core default.  I then uploaded via ftp all files except the settings.php (at the recommendation given to another admin).  All mods are installing (almost) perfectly now. (we have trouble with the bookmarking one but I suspect that is a 1.1.3 issue)  Hopefully, all this combined will end the troubles and let us get back to our regular posting. 

I'll keep ya posted!