MyBB Community Forums

I'm getting reports from my forum users that when they log in they are logged in "as if they were another user". I don't have much detail but clearly quite concerning.


I'm running the latest version of MyBB.

Recently the sessions table has been causing an error - it seems to need to be repaired roughly once a week.

I've tried deleting all the rows from the sessions table in an attempt to find a permanent fix the problem with the sessions table needing to be rebuilt. That said, I don't think deleting the rows in the sessions table should cause people to be given another person's profile when they log in.


Does any of this ring any bells?


I'm technically competent but I have limited knowledge of the MyBB system. Can anyone point me in the right direction please?

Do you have some sort of webserver cache? Varnish, etc? Sounds like it's caching PHP pages and serving them to other users.

(2019-06-06, 10:45 AM)Nathan Malcolm Wrote: [ -> ]Do you have some sort of webserver cache? Varnish, etc? Sounds like it's caching PHP pages and serving them to other users.

Good question Nathan, but no caching.

That's generally been the case in the past with this issue. I'd definitely recommend double checking.

Is anyone able to give me a quick overview of what happens when someone logs in please?

I'm happy to receive answers by DM if there are any security concerns but presumably the system should be secure...

try using Send No Cache Headers at Server and Optimization Options of Configuration section

OK, a bit more info.

It appears that users ARE logged in correctly.  However, the text near the top of the screen where is says this

Hello There, Guest! Login Register

...is misleading.

The text "Hello there, <username>" changes from page to page.

Initially it correctly shows my username but when I move to another page the username displayed changes to either another username or to "Guest!".


Not as serious as people being logged in as each other but still very misleading and not good for confidence in the forum software.

Does that jog anyone's memory for a cause of this issue?...

---

Looking at the code

The header_welcomeblock_member template displays this: {$lang->welcome_logout}
which is defined as

$lang->welcome_back = $lang->sprintf($lang->welcome_back, $mybb->user['username'], $lastvisit); in the global.php file

So $mybb->user['username'] is being populated incorrectly.

Thoughts...?

^ basically the issue is related to aggressive cache & cookie setting (stored through browser)
you can also try this .htaccess method

That may well be it. Just waiting for some feedback.

Why would my browser know anything about another user's username?

^ that comes from some weird cache set at web server !