Users sporadically logged in as other users

Kambei_Shimada · April 28, 2017, 09:39:34 PM

Hi, so I've recently experienced a troubling problem with my SMF 2.0.13, and I was hoping one of you guys might have a clue as what it could be. I'm unable to link to the forum right now, because I took it down for maintenance, but I can explain what happened:

The forum is on a shared server. It could be unrelated, but for two days, the site had some performance problems (loading times of up to 10 seconds per page), and then suddenly users began reporting they were seeing pages meant for others, as in USER A is clicking on a thread and it loads the page as USER B. That went so far as to have USER A, now seeing himself as USER B, able to briefly check USER B's personal messages (have screenshots of this, private message subject headings and all). This was also the case for guests, or anyone logged out completely. I could refresh a page and see myself logged out, but refresh again and be logged back in (often as a different user). Also of note is the time seemed to be off on the pages were it happened (displaying a 10-15 min delay).

This issue popped up completely out of the blue. I had made no recent changes to my SMF settings, and after troubleshooting with my host, learned that they had made no updates or changes either to the server's database, PHP or MySQL versions.

Any clues as to what could be the cause of this bizarre, scary behavior? I'd appreciate any help you can give. It would really set my mind at ease...

Sir Osis of Liver · April 28, 2017, 11:23:21 PM

Don't know if this will help, but give it a try.

Admin -> Server Settings -> Cookies and Sessions

- Change cookie name.
- Check Enable local storage of cookies

Arantor · April 29, 2017, 03:22:51 AM

Ask your host if they're using Varnish or similar and if they are to please turn it off.

Kambei_Shimada · April 29, 2017, 07:49:52 AM

Thanks so much Arantor. Spoke with host again and indeed they had enabled Varnish. Unsure, frustrated why they didn't acknowledge that earlier as a possibility. Will still take a few hours to ensure that it's been resolved.

Hoping to change hosts soon, as Bluehost has been nothing but trouble when tech support issues come up. Any suggestions? My site lives and dies by it's forum, which is sizable. 700mb database.

Illori · April 29, 2017, 08:15:47 AM

check our paid hosting board for a few suggestions.

Arantor · April 29, 2017, 08:33:44 AM

Honestly not sure who I'd recommend, I haven't had to go host shopping in a while.

Bob Perry of Web Presence Consulting · April 29, 2017, 10:48:04 PM

One of my clients pointed this issue out to me yesterday, thought it was a minor issue only related to his site... wrong answer... been fighting with this on my own site too and ready to throw the computer through the window... this is the craziest situation I've run into in a long time... one menu option shows me logged in, another shows me logged out, nothing makes sense...

I had previously installed a pear cache at the host, so after reading this I uninstalled that, no change... tried renaming cookies and enabling local cookie storage, nada... I hate hostgator support cause they want to try and force me to upgrade to dedicated server which I can't afford and also because you can't talk to them on the phone, they pretty much twist your arm to use live chat... situation definitely sucks but now its a vendetta... I WILL figure this out...

HDB · April 30, 2017, 12:10:21 PM

Would it help if you were to go into the SMF Admin CP and in Server Settings select Caching Level to "No caching"? Would that stop the unwanted behavior on SMF?

Arantor · April 30, 2017, 12:14:54 PM

Nothing to do with SMF's caching, this is implemented lower down the food chain.

HDB · April 30, 2017, 12:31:35 PM

Thanks Arantor. I see that Varnish is rooted on the server but I was wondering if somehow SMF could be set to ignore it.

Arantor · April 30, 2017, 12:36:15 PM

Nope, because it happens before it gets to SMF.

utgf · April 30, 2017, 01:42:46 PM

I have the exact same issue...........and it's driving me crazy....I'm on the phone with their support now

utgf · April 30, 2017, 03:52:33 PM

Well, I just got off a two separate 1 hour phone calls with Bluehost.

They told me that they've seen a flurry of issues with forum websites because of Varnish. They ended up flushing the Varnish cache and said that that should fix the issue. They told me to give it some time but that I should start to see the forum act normally.

Kindred · April 30, 2017, 05:08:48 PM

Flushing the cache will just reset the problem to restart when the cache gets refilled.

They should just turn off/remove varnish

Arantor · April 30, 2017, 06:35:20 PM

The reason they have a flurry of issues is because they clearly haven't configured it correctly to understand when content should be cached and when it shouldn't.

Kirsten07734 · April 30, 2017, 07:10:10 PM

I'm having the same problem. First they state that it can't be Varnish causing the problem. Then they state the only way to fix it is for me to buy a more expensive premium hosting package so I can turn off Varnish. And finally they say the problem is with the Simple Machines software.

What I want to know is: if they put Varnish on my account a year ago to punish me for having a large site, why did it wait until yesterday to start exposing my member's private messages to the world? I changed nothing. It cannot be SMF because I updated nothing on the SMF software yesterday. It has to be something they did at BlueHost. But because they refuse to put some effort into fixing it when it's an easy way to force a sale of a more expensive product, I'm stuck.

I need a new hosting service, not one that forces me to shut down my site to protect my members while they hold it for ransom. I can't even run it in maintenance mode without exposing their private messages.

Arantor · April 30, 2017, 07:22:58 PM

Because they've turned up/changed the Varnish configuration to be more aggressive.

Steve · May 01, 2017, 07:39:24 AM

Quote from: Kirsten07734 on April 30, 2017, 07:10:10 PMI need a new hosting service ...

Take a look here: https://www.simplemachines.org/community/index.php?board=4.0

lurkalot · May 01, 2017, 08:43:42 AM

Quote from: Arantor on April 29, 2017, 03:22:51 AM
Ask your host if they're using Varnish or similar and if they are to please turn it off.

Pete, seen you mention this a few times lately. I've seen a XenForo forum suffering this same problem over the last few weeks as well. I checked and see that their host is also running Varnish. All a bit worrying if you ask me.

Relentless_Fatigue · May 01, 2017, 09:58:36 AM

Quote from: lurkalot on May 01, 2017, 08:43:42 AMPete, seen you mention this a few times lately. I've seen a XenForo forum suffering this same problem over the last few weeks as well. I checked and see that their host is also running Varnish. All a bit worrying if you ask me.

Seems to be a common thread for all the cheap hosts of the early to mid-2000s, like bluehost and hostgator. Those guys had great bang for your buck at the time, so they reeled in a lot of customers, and then the service slowly went to hell as they proceeded to maximize profits. I bet they're all just a shell of what they were now and are manned by folks who can properly set up a cache server. Wouldn't even be surprised if they were bought out by the same company.

Only solution seems to be to move on to "cloud hosting", where you have control over these things, or to migrate to a more established, more reliable company.

Arantor · May 01, 2017, 11:48:07 AM

Quote from: lurkalot on May 01, 2017, 08:43:42 AM
Quote from: Arantor on April 29, 2017, 03:22:51 AM
Ask your host if they're using Varnish or similar and if they are to please turn it off.

Pete, seen you mention this a few times lately. I've seen a XenForo forum suffering this same problem over the last few weeks as well. I checked and see that their host is also running Varnish. All a bit worrying if you ask me.

This is not surprising.

The deal is this: Varnish is a cache that sits on the server. It sits between the user and Apache/PHP. So once something requests a page, Varnish stores the entire page as is. Next time someone hits that same URL, Varnish serves up that full page without it even going to Apache/PHP.

For performance, great. But for highly dynamic pages where the same URL potentially has different contents for different users, utterly terrible and a really, really bad idea.

BlueHost should know better, frankly. It's fine for WordPress and similar where the front end is largely identical between all users but for forums, it's a real killer.

lurkalot · May 01, 2017, 01:55:51 PM

Quote from: Relentless_Fatigue on May 01, 2017, 09:58:36 AM

Seems to be a common thread for all the cheap hosts of the early to mid-2000s, like bluehost and hostgator. Those guys had great bang for your buck at the time, so they reeled in a lot of customers, and then the service slowly went to hell as they proceeded to maximize profits. I bet they're all just a shell of what they were now and are manned by folks who can properly set up a cache server. Wouldn't even be surprised if they were bought out by the same company.

They are owned by the same company.

In fact the company Endurance International Group = EIG has bought up loads of them. There's a list here, http://www.webhostingsecretrevealed.net/blog/site-updates-news/the-who-what-when-of-endurance-international-group-eig/

Arantor · May 01, 2017, 03:18:27 PM

Awesome, there's no way this will end badly or anything...

lurkalot · May 01, 2017, 03:42:53 PM

Quote from: Arantor on May 01, 2017, 03:18:27 PM
Awesome, there's no way this will end badly or anything...

lol.. hope not.

Thanks for explaining how varnish works It makes sense now.

PanicRev · May 01, 2017, 06:38:27 PM

Strangely enough, we're having the same issue. Also running SMF, also on Bluehost, issue started just recently as well.

Called support, they advised Varnish is not active. I renamed the cookie and disabled caching from the SMF admin panel, and then manually emptied the "smf_sessions" DB table from within phpMyAdmin and still no solution. Users still reporting showing logged in as other users.

lurkalot · May 01, 2017, 06:47:57 PM

Perhaps check your website, http://www.isvarnishworking.com/

PanicRev · May 02, 2017, 11:26:02 AM

The Varnish checker says no, however, I just ran a filesystem & database backup and ran the software on a local server and the problem disappeared. May not be Varnish, but my guess is Bluehost is doing some type of caching that's causing this issue. (Still working with their support on this issue).

Arantor · May 02, 2017, 11:27:13 AM

Other BH users have confirmed Varnish... but please do let us know. All the symptoms are there, after all.

maherley · May 02, 2017, 03:00:41 PM

I'm having trouble, too. Blue Host. All tech support did for me was offer to let me pay more for Cloud Hosting.. despite the site working for the past 2 years without a problem.

If anyone has found a solution, please share.

Alternatively, if this is a shared server problem, will this now be a problem on all other cheapish web hosts? I'll shop around if I need to, but what's the point if it will do the same thing?

Illori · May 02, 2017, 03:03:47 PM

this is not an issue all hosts should have. most shared hosts that are not oversold should be able to handle their setup/config without the use of varnish and you may get better performance then you are getting now.

maherley · May 02, 2017, 06:47:13 PM

Thanks. Any recommendations? I know there's a whole forum for reviews and the like, but none talk about this issue, and I don't want to blindly transfer to another host.

I have a small forum, so cheap and good are the only requirements!

Bob Perry of Web Presence Consulting · May 02, 2017, 07:43:58 PM

Quote from: maherley on May 02, 2017, 06:47:13 PM
Thanks. Any recommendations? I know there's a whole forum for reviews and the like, but none talk about this issue, and I don't want to blindly transfer to another host.

I have a small forum, so cheap and good are the only requirements!

Just to let everyone know, HostGator is using varnish too... my issue has finally been resolved after three days of hair pulling and cussing like a sailor... but in my case and I'm sure many others, the reason they imposed this on me in the first place is that there were inefficiencies in my code that caused the system to overload allowed host resources... so, the way to hopefully avoid your host imposing this on your site is to be absolutely sure that whatever modules and customized code you have installed are the most efficient you can make it...

Kindred · May 02, 2017, 08:08:54 PM

Or to get a non overseller host in the first place...

Personally, I like and use icd soft for 14 different sites

shawnb61 · May 02, 2017, 08:41:24 PM

We use HostGator, no such issues. (Yet?)

DarkAngel612 · May 04, 2017, 06:51:18 PM

Posting this here too since it happened to me and I am almost hairless from yanking it out in frustration.

OK, I have done everything suggested here an the other threads listed....no joy

I deleted sessions from database=worked for an hour or so then back it came

reloaded brand new files/went thru database with fine tooth comb deleting mods coding that are no longer in forum, sessions, repair/optimize and it would work for only a short time then the issue returned.

this is the latest in this saga and hope it helps:

Moved the forum directory to a "holding folder" (after picking a time when I was alone on the forum) --- this took away the forum totally. recreated all directories for it then started going thru them all and transferring the files to their new folders, checked the settings file to ensure nothing got messed up. I did find doing this that for some odd reason the cache folder got renamed, no idea when or how.

After moving its files to the new folder I went to the forum and for 2 days now it has behaved as normal. Thanks to all for their help.

Sir Osis of Liver · May 04, 2017, 06:57:39 PM

Just a guess, but by moving the files to a new directory, you've effectively cleared the cache, and problem will return when cache fills up with new urls.

DarkAngel612 · May 04, 2017, 07:06:07 PM

the funny thing is there are only 3 things in the cache folder:

.htaccess
index.php
mediaprocache.php

nothing else in there and now that the "x" is not in the folders name I am hopeful that it stops

That is all that has ever been in there

Jailer · May 04, 2017, 09:20:09 PM

It has nothing to do with the SMF cache, it's the Varnish cache that is the problem. Get with your host the problem is completely out of your control.

DarkAngel612 · May 04, 2017, 09:28:49 PM

after many calls and verifying on their end that they do not have Varnish or any of the other types this is the only solution I could come up with.

Kindred · May 04, 2017, 11:07:48 PM

They are not telling you the truth. We know that bluehost IS sing a badly configured Varnish

DarkAngel612 · May 05, 2017, 12:47:08 AM

not real worried since I plan to move this forum as soon as the hosting package is renewable.

how since this is the first time I am going to move a domain that is free with package....I don't want it to get bought out from under me and IF I could do it before the server fees are due that would be great.

Kindred · May 05, 2017, 06:48:44 AM

https://wiki.simplemachines.org/smf/Hosting_-_How_do_I_move_my_SMF_forum_to_a_different_host

DarkAngel612 · May 05, 2017, 01:14:50 PM

But will the site behave or go away totally when doing this. As I said it is not a domain name on its own --- it comes free with her hosting package.

If the usual way of going to another host is still the same then no problem cause I do it that way all the time I have to move a site to a new host.

Sir Osis of Liver · May 05, 2017, 01:45:27 PM

The domain should belong to you. You may be able to leave it with them if they have a reasonable rate for domain registration only, or you can move it to a different registrar. IIRC, there's usually a 30 day lead time for changing registrars. When you move the forum, you'll have to update nameservers in your domain's DNS settings to point to the new servers.

DarkAngel612 · May 05, 2017, 07:05:39 PM

like always about the dns address changes, I know how to move them over to new host and now see that it might not mess things up prior to the hosting pakage coming due---in August

News:

Users sporadically logged in as other users