I haven't read through the whole thread but there's something that you could try to prevent this from happening.
Add the following to global.php below
<?php:
(Assuming you're on a Linux based server with PHP => 5.3.3 installed)
ini_set("session.hash_function", "sha512");
ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");
Adding some entropy
should decrease the probability of a collision. This is just the logic, in practice it might not have the expected result.
I doubt a collision per se is the problem, by the sounds of it a session id is being shared somehow or something, and that would probably happen no matter how unique the session id is. I mean it's worth a try but I think there's more to it than that.
We have an issue with session ids with the framework we use at work (Kohana 2), I wonder if the cause is the same; that seems to be using the same session id twice too but entropy isn't a factor as it happens on so many sites it's nothing to do with uniqueness.
Ugh, hate things like this, so hard to actually debug. Besides, logging in is based on the cookie rather than the session directly.
@Jen_Vuongyen could you follow the steps I outlined in post #9 and see what the outcome is?
Well I already did what you said in post #9.
BUT as I said, the prob had just gone away itself before I tried to do anything, I haven't seen the outcome....
And that was actually, I'm sorry but, not a solution. For ex, what if they log in my admin account and won't tell me about that? To prevent is what I was looking for ^^
But that's the problem, we don't know how it happens to be able to prevent it. It happens so rarely we can't debug it.
i just thought i would say that i have this problem at college on both wordpress and mybb. not sure why but we use different browsers to each other usually i use portable chrome.
With WordPress too? See that's what makes me think it's some sort of network issue, especially if it happens at a college. But then that doesn't explain how it happens for people who aren't on a local network...
(2012-05-20, 10:38 AM)MattRogowski Wrote: [ -> ]With WordPress too? See that's what makes me think it's some sort of network issue, especially if it happens at a college. But then that doesn't explain how it happens for people who aren't on a local network...
maybe they are not on a local network but instead are on the same isp and the ISP screwed up?
I've been experiencing this problem since I updated my forum. My site is
http://pigpenpoetry.com
When I'm logged in on my own, things work OK. But once another member logs in, I get logged in as them. Other members have also experienced being logged in under other usernames. I'm very worried that this could become a security issue. Any ideas?
I understand that because the case is so rare it's hard to debug.. but if you need any information about that, just let us know and we'll try to provide them...
The problem has just come back to my site and it's gone away again... however i can sense that it's going to come back in near future ;;
Thank you so much!