I have four users who are experiencing a weird problem: they access my forum and find themselves logged in under a completely different user, even though they are accessing the site on a computer that the other user has never accessed.
The only commonality is that all of them are based in the same city (though again they are using different IP addresses). Any suggestions on what's going on?
To be "already logged in" the cookie must be set in their browser. This sounds really strange, hope you can figure it out and share the answer here...
I've had this occur a few times at my forums. I count it as an anomaly in the database. Doubtful this can be replicated otherwise we'd see more people report it.
Glitch in the matrix?
I wonder if admin in same city and other user in same city would find himself logged in as that admin?
This problem persists. It's happening with 4 users who are all living in Bangkok. Maybe the country uses some type of filtering software.
I'm currently in Europe.
So Thailand does have some type of a firewalll. Here's what a user told me:
"My wild guess would be an ISP caching issue possibly related to the national Thai firewall."
http://en.wikipedia.org/wiki/Internet_ce...nd#Methods
You're not the first person to report this but with the way the cookies and auto-logging in works I just can't see how it's possible.
Basically the cookie that logs you in is formed by joining your user ID and your login key, separated by an underscore. So if my login key, which is stored in the database for my user, was qwertyuiopasdfghjklzxcvbnm and my user ID was 1, the cookie would be 1_qwertyuiopasdfghjklzxcvbnm. Then when I visit the site it checks if the user ID and login key match a user in the database, and it they do, logs you in. The only way you can login as somebody else is if you had their login key, and user ID, in your cookie, but MyBB won't set someone else's details to your cookie. The login key is a randomly generated 50 character sting, so the chances of having two of those the same is essentially nil, but even if there was 2 the same, the cookie would still need someone else's user ID as well. The locality of the users should have nothing to do with it, however do you know if they are all in the same physical location, like in an office over a network? Though you said they have different IPs so it may not be that... it's just as far as I remember, other people who have had this have been people on local networks and something on their network must share cookies or something weird. I don't know how that would work or why it would be there but I know for sure at least one person, probably more, who had this problem, had it over a local network. But it is still a really weird problem as it happens so rarely.
There are not in the same building, but in all likelihood are using the same ISP. They have sent me screenshots of the forum page when they were logged in to another user's account, with full privileges to post and read PMs.
Right, create a file called cookietest.php, put it in the root of your forum, and put this code in it:
<?php
echo $_COOKIE['mybbuser'];
?>
Ask them to go to yoursite.com/cookietest.php and this will echo out the cookie they have that's logging them in. If you could then post that here, and for each user, post what their actual user ID is (at the end of the URL when you visit their profile) - this is of their own account, not the one they're being logged in as. Then I'll see if I can try and connect the dots.
Hi I've got this problem yesterday ;;
And truly the location had nothing to do with it as ALL THE MEMBERS WHO WERE ONLINE THEN encountered it.
Furthermore, when I tried to log myself out, the forums would say I couldn't and that I had to press the Log out button at the top right or something. I pressed. I logged myself out but when I refreshed the page, yeah again I was under another acc.
I personally don't see this as an inconvenience for members, but I see it as a risk for my forums as they can log in my admin accounts ;;
At the moment, the problem has gone away attributing to no reason but I'm afraid it may come back and I'm not always there to close the site on time ;;
So possibly is there anyway to prevent that? Thank you!
PS. The accounts that we were forced to log in were kinda at random I think... ;; Most of them were the ones who were actually online at the moment, but some were not even active members