No announcement yet.

Sessions problem

  • Filter
  • Time
  • Show
Clear All
new posts

  • Sessions problem

    OK, I installed RC3 a week ago.

    Today I went into the forums (I'm admin there) and I was surprised that the admin section was gone. One quick glance at the top of the page explained why - I was logged in as another user.

    Now, I never used that user name or login nor have I ever changed any details outside the Admin interface.

    Now, since I'm an admin, this didn't hurt. But what if a vicious user logs in as admin?

    The bug is reproducible on my system. Even if I click 'logout' and then the link again from my favorites, I'm logged in as this user.

    Anyone? Someone? Bueller?

  • #2
    Are you using cookies or sessionhash on your forums?


    • #3
      No cookies.

      How do I know is sessionhash is active?


      • #4
        Because if you have selected not to use cookies on your forums, then you're using sessionhash. There are threads all over these Forums about the use of sessionhash over cookies etc. Under Edit Options in your Member Control Panel it states under "use cookies to browse boards":

        Clicking yes will use cookies to keep your id for this session. Clicking no will send it through the links. (Selecting no may cause problems when sharing links with people behind the same proxy as you)

        I believe that what I've read is the other person that appears to be logged in as you is viewing cached pages or something like that. I suggest you run a search for sessionhash and cookies threads here in the forums and review them to get a better understanding. I'm still foggy myself on how sessionhash works over cookies, and I have yet to find another forum software pkg. that operates in this manner.

        Personally, I question the value of sessionhash over cookies and think it's more of a problem/hassle than it's worth, but that's also my "ignorant"/uneducated opinion speaking as well.


        • #5
          Sending the sessionhash through the links is valuable for those who can't/won't turn on/accept cookies for whatever reason.

          The one thing that I think everyone should understand is that sessionhash is used regardless of what you select for this option. What this option means is whether it should store your sessionhash (a long string of numbers and letters) in a cookie, or send it in the links from page to page.

          Most reports of this have been that they find themselves being recognized as someone else, but once they click they are no longer seen as that user. Meaning, it's a case of one cached page being served and once a click is made a fresh page is pulled from the remote web server. SuperFlu, since you mention that you are using a favorites link to go to your forums each time, and have apparently not used cookies, assumedly that favorite has a sessionhash in the URL. Everytime you load that URL, (assumedly) your ISP's proxy looks at the URL and thinks "cached page" and serves the page with the other users' name on it. Try going to your forums by typing in the URL instead of using your favorite, and see if you get the same result.


          • #6
            No, the session hash wasn't in the link and if you'd thought about it a second more you'd realize that the session hash is a temporary and random string that cannot be duplicated while preserving its properties if the session timeouted.


            • #7
              Actually you're wrong. Assuming you and this other user are behind the same proxy, it sees the URL to your forums and retrieves the cached page which has the other users' name on it, expired sessionhash or not.

              My thought was that the session hash in the URL would make it even more likely. But regardless your ISP may be retrieving a cached page instead of the actual dynamic page from your site.


              • #8
                dont url?s= make it lose this prob?


                • #9
                  Yes, the url?s= thingy solved it. But do you expect me to convince each of my user to put that in the URL so they'd wont log in as other users?

                  duh, why cant the VB team solve this problem once and for all ?


                  • #10

                    When you have each user browse boards with cookies, that url?=s "thingy" automatically gets added in. I suggest you refer to this thread:


                    • #11
                      I'm an admin in this forum as well, and I got 2 other people who logged in to the forums, with the same user name as SuperFlu did. ( [email protected] )

                      I'll quote what one of them said:
                      When I enter the forums it says the time is now 2:00, and i'm logged as [email protected], and I see he has 4 PM's, but i can't enter any of this stuff, when I enter user CP it says "SlaYeR"..

                      What the hell..?
                      They all happen to login as this same user name over and over.
                      I hope that this is the only user that people logged in as.
                      and that there will be a solution to this problem.


                      • #12

                        Just saw this thread someone opened:
                        This morning i open the forum and i see i am logged in as SlaYeR
                        so i refresh and i am loged in as SharkHead WTF is going on here someone help plz!
                        He logged in as "SharkHead" means he had admins previlouges... I dont think that it is a good idea to give newbies this kind of power, dont you think?!


                        • #13
                          They are not logged in as you, they are merely seeing pages cached by your ISP. They will have no administrative power whatsoever. Don't believe me, set up a 'delete me' thread and tell any user who appears to be logged in as an administrator to delete that thread.

                          If anyone succeeds, I'm wrong, but I don't believe I am.


                          • #14
                            I think you are missing the point.
                            It's not that thread that he cant delete. (and I'm not sure he cant)
                            It's a serious bug that must be solved.
                            even if he can only post with my name, or to view the co-admins/moderators forums. (these forums are set as private, and when he logged in as me, he can view them)
                            These kind of things must be kept in private, and not to be seen by any kind of user.
                            If you already saw this problem, then please solve it, and if you didnt, I can give you our vbb url.
                            When I'll have this bug, (when I'm automatically loged in as another person) i'll see what he may do, and what he cant.


                            • #15
                              The "bug" fix is to use cookies. This is not a vBulletin bug, it is a matter of the proxy caching pages and there's not really any way around that without using no-cache headers (and that's not even 100% foolproof).


                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.