Users Getting Logged In With Different Accounts?

bayonetbrant · June 02, 2025, 11:25:55 AM

I tried looking for this first, but didn't see anything.

For the bast 2-3 weeks, we've seen users getting logged in as a completely different (valid) user account. You can see the IPs "shared" across different accounts, too.

These folks are definitely *not* logging in from the same place (one in rural Virginia, and the 'counterpart' account in Denver; another in Newcastle UK, and getting logged in as a guy from outside London).

Seems like there's a user account table somewhere that might've gotten scrambled but I'm not 100% sure how to fix it. I've run all the built-in maintenance functions, and no errors found.

Not sure the best next step but trying hard *not* to roll back to a previous backup and lose a week's worth of content

Aleksi "Lex" Kilpinen · June 02, 2025, 12:13:08 PM

I would look at the host and server config first thing, any server side caches at use? Varnish ring a bell? Perhaps ask your host if they use Varnish, and can it be disabled?

bayonetbrant · June 02, 2025, 02:31:32 PM

Quote from: Aleksi "Lex" Kilpinen on June 02, 2025, 12:13:08 PMI would look at the host and server config first thing, any server side caches at use? Varnish ring a bell? Perhaps ask your host if they use Varnish, and can it be disabled?

They are *not* using Varnish

Illori · June 02, 2025, 02:32:16 PM

are they using any server side cache?

Kindred · June 02, 2025, 05:00:53 PM

As noted, the only time we have seen this issue is when a host-side cache is enabled, which saves sessions and presents that session to the next user(s) the same is the original user.... which is, as you see, a bad thing.

bayonetbrant · June 02, 2025, 08:40:58 PM

Quote from: Kindred on June 02, 2025, 05:00:53 PMAs noted, the only time we have seen this issue is when a host-side cache is enabled, which saves sessions and presents that session to the next user(s) the same is the original user.... which is, as you see, a bad thing.

I'll check with them and see what's up. Probably won't have time to sit on hold with them until tomorrow night, but will let y'all know what they say.

Thanks for the guidance and I'll report back

a10 · June 03, 2025, 03:31:14 PM

Experienced another type of host's caching 'biproduct', when some 'deny' ip in htacces got a hit it affected other non-blocked ip's > 403's spilled over to random, legit ip's.

Fixed with host providing a disable caching line to be added to htaccess.

shawnb61 · June 04, 2025, 03:52:55 PM

Random thought...

Do you have persistent connections enabled in Admin | Maintenance | Server Settings | Database?

I've never had an issue with this (in fact at one point it helped me with an issue), but in the past some folks reported issues with this on shared hosts.

If it's on, try turning it off.

bayonetbrant · June 06, 2025, 03:56:38 PM

Quote from: shawnb61 on June 04, 2025, 03:52:55 PMRandom thought...

Do you have persistent connections enabled in Admin | Maintenance | Server Settings | Database?

It is not enabled.

News:

Users Getting Logged In With Different Accounts?