Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2015-11-25 05:09:24

oli_v_ier
Member
Registered: 2008-09-21
Posts: 39

Logged in on another account !!!

Hello,

My forum users warned me that sometimes when they open the forum, they are logged on another person's account.
It's rare (3 or 4 times a year) but inacceptable.

I have fluxBB 1.5.9 and dokuwiki 2015-08-10a "Detritus" . wiki's authentification is done with fluxBB.

Any help will be greatly appreciated !

Offline

#2 2015-11-25 05:36:35

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,173
Website

Re: Logged in on another account !!!

What did you change in an authentication code?

Offline

#3 2015-11-25 12:55:04

Askelon
Member
From: Bretagne − France
Registered: 2010-06-09
Posts: 202
Website

Re: Logged in on another account !!!

That's been observed on other forums, including forks of FluxBB (Luna at least, don't know about Panther or Feather).

I've actually opened a private ticket for this, hoping to leave this issue publicly unknown for security reason. I noticed you were experiencing that bug on RL too and mentioned it in the ticket wink There's no cause for this that we know of. FluxBB 1.5.9 changed a few things on the authentication process and we hoped it would fix this, but obviously it didn't… It happens on different forums softwares with different configurations/modifications.

Just an hint: notify your users to note exactly on what page of your forum they were when this happens. It could help narrow the search as we currently see this happening apparently at random.

Offline

#4 2015-11-25 17:53:30

oli_v_ier
Member
Registered: 2008-09-21
Posts: 39

Re: Logged in on another account !!!

Thank you for your answers (salut Askelon wink ) .

What did you change in an authentication code?

On the forum nothing.
On the wiki I use this : https://github.com/randonnerleger/wiki/ … authfluxbb

Offline

#5 2015-11-26 10:29:45

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: Logged in on another account !!!

I've never seen this on Panther, I've changed the cookie stuff a bit though so that might be enough to prevent something like this.

My instinct on this is the password hash in the cookie. I know there is more than that in the cookie, but I have a hunch that is at least partially to blame for this. On big forums, this will probably get exacerbated by the potential of two users having the same password - and sine they're not salted, the hashes will be exactly the same.

It happens on different forums softwares with different configurations/modifications.

To be clear - (and this is a question for Askelon now) - does this only occur when integrating FluxBB such as above - or purely at random with an unmodified version?

Perhaps it might be worth making some kind of thread with information to look out for in case it does happen?

Offline

#6 2015-11-26 11:55:36

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,537
Website

Re: Logged in on another account !!!

Hmm, the existence of custom integrations may indeed be an indicator; can we confirm that is the case for other places where this problem occurs, too?

From a quick look at the DokuWiki plugin, that code seems to be okay.

Also:
Did the users that have the problem use the login form of the forum or an integrated one?
And, most interestingly, does the affected user's password hash happen to start with "0e"?

Last edited by Franz (2015-11-26 11:56:11)


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#7 2015-11-26 15:11:05

Askelon
Member
From: Bretagne − France
Registered: 2010-06-09
Posts: 202
Website

Re: Logged in on another account !!!

I'm using a heavily modified version of FluxBB, but nothing's been changed that should affect login/authentication. It happens seemingly at random on three accounts at least. Just checked the DB, different password hashes − neither starting with '0e' − so I'm pretty sure they're using different passwords; unrelated usernames and emails. Two IDs are consecutive (husband and wife, same internet access) but the third in unrelated, completely different ID. Those three users aren't even in the same user group (it shouldn't have anything to do with the issue, but it adds to how unrelated the accounts are).

Last edited by Askelon (2015-11-26 15:14:30)

Offline

#8 2015-11-26 15:12:08

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: Logged in on another account !!!

Maybe there is a pattern in the IDs. Do you know what the IDs are?

Offline

#9 2015-11-26 15:15:59

Askelon
Member
From: Bretagne − France
Registered: 2010-06-09
Posts: 202
Website

Re: Logged in on another account !!!

2111, 2112 and 2158. Like I said in my edit 2111 and 2112 are married and share the same IP; 2158 is a complete stranger and still got to use 2111's account a few month ago with that bug.

Edit: just to be clear, 2111 got her account used by both 2112 and 2158 due to that bug. The three of them notified me of this, but there may be other unreported cases.

Last edited by Askelon (2015-11-26 15:17:53)

Offline

#10 2015-11-26 15:25:59

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: Logged in on another account !!!

This is going to be very tricky to track down to anything specific - I think it will probably require some specifics and logging (e.g. of the date when users changed their passwords) but by that time it may well be too late and not happen again.

2158 is a complete stranger and still got to use 2111's account a few month ago with that bug.

It's possible that 2111 and 2112 share the same computer, and possibly the same browser. If they check the "keep me logged in" checked, or for whatever reason the cookie doesn't expire, then that could well be the cause.

The problem I see is that this could be just as related to malware, keyloggers .etc as the software. As a potential (though granted not likely) scenario - a user uses a public computer (such as a school, work, college, library) and logs in to your site. Later (some time later) another user logs in and the history has not been cleared so the cookie is still present. They are logged in as another user.

But do you know which account IDs they switch to? Are they the same user accounts every time - if it even happens more than once on the same account at all?

Offline

#11 2015-11-26 15:35:35

Askelon
Member
From: Bretagne − France
Registered: 2010-06-09
Posts: 202
Website

Re: Logged in on another account !!!

The only remarkable point I found is that in both cases users accessed 2111's account. The first time they didn't paid attention as it was the husband, 2112, that suddenly switched to 2111's account (they're using different computers, though, that's the first question I asked). But 2158 lives half the country away, so when he switched to 2111's account, he reported it to me (using 2111 account to send me a private message). It's only when 2111 saw the private conversation that she mentioned the previous case with her husband to me. No word of the issue occurring again since then (mid-September).

Another shred: user 2158 says he tried repeatedly to log in and out to fix this, but still ended on 2111's account after a while…

Offline

#12 2015-11-26 15:45:55

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: Logged in on another account !!!

This is really weird. I can't think of any logical explanation for this. But clearly there is some kind of pattern ....

oli_v_ier - what were the user IDs of the members who reported this to you?

Offline

#13 2015-11-27 13:19:42

oli_v_ier
Member
Registered: 2008-09-21
Posts: 39

Re: Logged in on another account !!!

chris98 wrote:

oli_v_ier - what were the user IDs of the members who reported this to you?

Here are the different cases :

24 november (using fluxBB 1.5.9) :
9250 was logged to 8431's account.
The first one lives in a foreign country, the second one in France.
Different hashed password.

In 2014 (the version used was 1.4.7) it's an unregistered user that become logged to a registered user. id : 8438 . He was using the shared wifi of a campus.

January 2015 6142 was logged to 3145's account (we where still with fluxbb 1.4.7 roll ).

Last edited by oli_v_ier (2015-11-27 13:20:50)

Offline

#14 2015-11-27 15:00:30

adaur
Developer
From: France
Registered: 2010-01-07
Posts: 842
Website

Re: Logged in on another account !!!

As I said on fluxbb.fr, I think there might be an other issue at play here.

Both olivier and Askelon observed this bug on a shared hosting from OVH. From I've understood, it works using a cluster, and a new cookie is sent for every page loaded, indicating from which server the cluster answers.

What if this system was somehow failing to send the right cookie at some point?

It would be interesting to see if this issue is affecting other hosting services.


FeatherBB - A simple and lightweight new generation forum system
Based on FluxBB, written in PHP, using Slim Framework for a proper OOP-MVC architecture.

Offline

#15 2015-11-27 20:18:48

oli_v_ier
Member
Registered: 2008-09-21
Posts: 39

Re: Logged in on another account !!!

Franz wrote:

Also:
Did the users that have the problem use the login form of the forum or an integrated one?
And, most interestingly, does the affected user's password hash happen to start with "0e"?

We are using the login form of the forum. Not modified.

None of the user's password hash was starting with 0e .

Offline

#16 2015-11-28 08:54:51

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,173
Website

Re: Logged in on another account !!!

File functions.php, forum_setcookie() function:

	// Enable sending of a P3P header
	header('P3P: CP="CUR ADM"');

-->

	// Enable sending of a P3P header
	header('P3P: CP="CUR ADM"');
	header('Cache-Control: private', false);

Offline

#17 2015-11-29 17:23:33

GWR
Member
From: Germany
Registered: 2010-08-06
Posts: 194

Re: Logged in on another account !!!

Just as little helper:

what Visman suggested is doing this:

private
Indicates that all or part of the response message is intended for a single user and MUST NOT be cached by a shared cache. This allows an origin server to state that the specified parts of the
response are intended for only one user and are not a valid response for requests by other users. A private (non-shared) cache MAY cache the response.
Note: This usage of the word private only controls where the response may be cached, and cannot ensure the privacy of the message content.

Source: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html  (point 14.9.1)

another nice explanation: https://isc.sans.edu/forums/diary/The+S … ers/17033/

If that does _not_ help, you might consider adding an option to use some kind of PHPSSID-style param (a user-specific param added to each url).


Dunno if you could request your cookie some hundred times and check if the results differ (different clusters - but this depends on how the clusters are "load balanced" - so maybe you get the same one because of your "location").


bye
Ron

Last edited by GWR (2015-11-29 17:34:16)

Offline

#18 2018-08-10 09:40:08

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: Logged in on another account !!!

Forgive me for necroing this thread, but after viewing this ticket where Visman posted a link back to here, it's clear this bug is still occurring.

First off, still not happening on my fork (now Aura), nor my site. I haven't ever had a single reported case of this. What strikes my interest the most is that most of these seem to be four digit IDs, and therefore the tiny forums with only a few members would not usually be affected by this "trend".

The immediate thought that popped into my head when I saw this topic again is whether this could somehow, under the correct conditions (possibly server-related??), be a mathematically-related bug. Maybe even relating to bits and bytes. Here's what we know so far:

2112 => 2111
2158 => 2111
9250 => 8431
1 => 8438
6142 => 3145

Could there be some kind of "pattern" in those which may be responsible for, or at least partially tell us, why this is happening? I'm afraid I'm essentially mathematically illiterate lol lol lol .... so I may not be the best person to try and look into it. But I just have a really strong gut feeling that it could be something to do with the maths all of a sudden .....

Offline

#19 2018-08-12 21:09:12

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,537
Website

Re: Logged in on another account !!!

Without more instructions to reproduce the issue, it will be hard to find the root cause. It might be related to caching or a bug in our authentication code.

Both will be changed in the upcoming 1.6 release, so let's hope that solves the problem...


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

Board footer

Powered by FluxBB