Announcement

Collapse
No announcement yet.

Users reported viewing wrong posts and other user's private messages

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Users reported viewing wrong posts and other user's private messages

    Now using vb3.8.4

    Several users have been reporting that they were viewing someone else's session, some had taken screenshots showing the private messages of the other users.
    Unfortunately I've not been able to replicate this problem.

    Users reported this problem after we've moved the servers to a new location, with similar infrastructure.

    The old infrastructure, which had no problems:
    Akamai (set rules to cache images, js and css only) -> Load Balancer (with web accelerator) -> 2 x web servers + 1 database (mysql 5.0)

    New infrastructure:
    Akamai (same rules) -> Load Balancer (no web accelerator) -> 6 x web servers + 1 database (mysql 5.5)

    PHP 5.1.6

    Case 1:
    User attempts to reply to a thread in forum A, after submitting, he gets redirected to a totally unrelated thread in forum B, and the welcome message becomes "Welcome, someone else's name"
    When he refreshes, it's back to his profile.

    Case 2:
    User access his PM list, sees someone else's PMs.


    I'm trying to get more information from the users.
    A friend I know encountered this once, but when he tried to view the "other" user's control panel, it reverted back to the correct profile.

    Found a thread here dated 2002 with same symptoms, https://www.vbulletin.com/forum/show...ng-user./page2
    But the settings like "Browse board with cookies" no longer exist, I think.
    I've already enabled the "Add No-Cache HTTP Headers"


    Any ideas on where to start troubleshooting?

    sessionhash is created using md5(uniqid(microtime)), what are the chances of a hash collision?
    Note that there are now 6 web servers in the farm. I suppose the time synchronization is accurate to the second. not microtime.
    What will happen if 2 users hits the servers at the same time?

    idhash is md5(user agent . $this->fetch_substr_ip($registry->alt_ip)))
    since akamai passes the real IP in the header HTTP_X_FORWARDED_FOR, can I assume this shouldn't be the problem?


  • #2
    Have you tried disabling your modifications to see if that is the problem?

    If this really is a server configuration problem, then you may want to look into posting over in the Server Configuration forum (see the threads at the top of that forum for needed information to post).

    Please don't PM or VM me for support - I only help out in the threads.
    vBulletin Manual & vBulletin 4.0 Code Documentation (API)
    Want help modifying your vbulletin forum? Head on over to vbulletin.org
    If I post CSS and you don't know where it goes, throw it into the additional.css template.

    W3Schools <- awesome site for html/css help

    Comment

    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
    Working...
    X