login problem
-
Hi every one ,
Recently we've got reports about 2 problems with our forum login.
First one is when sometimes a user logs in with his own authentication info then he finds out that he has logged in as another user. Like I log in in NodeBB community and then I see the forum recognize me as another user.
Secondly sometimes then don't even get to see the login page. I mean when they click on login they face aforbiddenerror message which is awkward.
The version of our NodeBB is 1.0.3 (latest version)Any one can help us with this? Thanks .
-
@julian
Any ideas? guys please! -
@julian
It just got worst . Something terrible happened . Apparently some one just logged in as another user and changed her name and posted some dump posts on behalf of her.
We closed the forum . we have no idea what is going on! -
@julian said in login problem:
That's a bit weird. Ensure you don't have any sites on the same domain saving cookies using the same id.
about a year ago we had our forum domain(forum.ourdomain) and then we ommited it and we setup VBulletin for a while on another domain and then we migrated to NodeBB on forum.ourdomain (I mean we got back to this domain again). I don't think the usernames of our old Vbulletin and NodeBB are the same and they seem irrelevant at all.
I guess this is caused by redis session cache . Please help this is like a nightmare.{ "url": "http://forum.sanatisharif.ir", "secret": "****", "port": "4567", "upload_path": "/public/uploads", "bind_address":"127.0.0.1", "database": "mongo", "mongo": { "host": "127.0.0.1", "port": "***", "username": "***", "password": "***", "database": "***" }, "redis": { "host": "127.0.0.1", "port": "***", "username": "", "password": "", "database": "0" } } -
@sanatisharif Unfortunately we can't say for sure what the issue is because we don't have access. Can you get in contact with the people who logged in as somebody else and ask them how they did it?
If you bring the forum back up on a limited access (allow only your IP address via nginx), can you reproduce it?
-
@julian said in login problem:
@sanatisharif Unfortunately we can't say for sure what the issue is because we don't have access. Can you get in contact with the people who logged in as somebody else and ask them how they did it?
If you bring the forum back up on a limited access (allow only your IP address via nginx), can you reproduce it?
Thank you for your attention .
Here is the whole story:
It started with a report . One day in the past week some one reported that after he logged in he saw he was logged in as some one else . Then he logged out and came to tell us about it which we reported here at the time. After a while another person reported after entering the forum he realized his name was changed and in the recent posts section he saw there were several posts that was put by another person . He is pretty sure about not posting those himself because they are some impolite unpleasant posts and they are actually against the forum's rules.Yes I can bring it up on a limited access but I don't get what you mean by reproducing it.
-
What I mean is -- we cannot fix issues if we cannot trigger them ourselves. We need a consistent set of reproduction steps (e.g. "go to this page, log in, press enter, navigate to this page, post.") in order to confirm that this is a bug and develop a fix. Otherwise if we cannot reproduce it, then it may be a configuration problem with your install, and we cannot fix that for you.
