Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+2 votes
1.9k views
in Q2A Core by
edited by

I am facing issue with my site. Please help me.

Its an emergency :'(

http://www.question2answer.org/qa/54400/strange-problem-login-as-another-user

----------------------------------------------------------------------------------------------------------------------

Update 1: I have migrated back to 1.74 (with all user credentials reset)

Its pure core q2a. No other authentication user plugin used. STILL problem exists.

Last registered user account will be logged in to someone else...!!!

----------------------------------------------------------------------------------------------------------------------

Update 2 : Finally, Issue got resolved.

Special Thanks to @pupi1985 who digged into root of the  issue :)

The issue was with Shared hosting. Server was serving cached data!

Response header containing flag X-Served-From-Cache : Yes

Solution: Move out of Shared hosting to VPS!

PS: For 1.8 release, can we add this check during installation process to stop user installing on such servers?

-----------------------------------------------------------------------------------------------------------------------

Q2A version: 1.8
by
Any updates ....

3 Answers

+3 votes
by
selected by
 
Best answer
Glad you found your answer. I don't know who your host is but what they have done is a huge security breach so I wouldn't trust them, even with a VPN! At worst all they should do in this situation, when a site gives a no-cache header, is return an error page.

As to your question, I don't think there would be any way to check if a server will have this problem. Most shared servers do not do this caching thing, plenty of people have used Q2A on shared servers and no one has come across this problem before.
by
@Scott, thanks for your efforts building this platform.
+3 votes
by
edited by

This is my reasoning, so it may not be correct. But I would like to show you one solution.

If there is any bug in the open login plugin, you should delete it. However, deleting the plugin will not solve the login problem. Because, if the user checked "remember" option on the login page, session (login) data will be stored in the user's machine (cookie) for one month. If the user visits your site again, Q2A will automatically log in using incorrect login data.

I think there are several ways to solve this problem. The easiest way is to temporarily change Q2A session variables. Incorrect login data on the client (cookie) expires after one month. Therefore, you can restore the core program after one month.

How to change core program:

  1. Open qa-include/app/users.php with any text editor
  2. Replace from "'qa_session" to "'qa_session_temp" (Those lines will be 15)

Example of L198:

//setcookie('qa_session', $handle.'/'.$sessioncode.'/'.($remember ? 1 : 0), $remember ? (time()+2592000) : 0, '/', QA_COOKIE_DOMAIN, (bool)ini_get('session.cookie_secure'), true);
setcookie('qa_session_temp', $handle.'/'.$sessioncode.'/'.($remember ? 1 : 0), $remember ? (time()+2592000) : 0, '/', QA_COOKIE_DOMAIN, (bool)ini_get('session.cookie_secure'), true);

I can not compensate you for your damage due to this change. Therefore, you must do this on your own risk. However, this measure may be useful if you are in trouble.

by
Thanks for the response.

Now user will get automatically longed in to random account when they click on 'Register' or 'Login' button (without filling the username & password) for first time.

But once they log out, everything works normal.

I tried installing new browser to eliminate cache/cookie possibility.

Any solution/workaround for this?
by
@sama55, Thanks for the help. :)
0 votes
by
edited by
Me too got the same problem after installing the chat master plugin. I am using 1.7.5 version on a shared hosting. Open Login is also there. It's the first time I am seeing this problem. So I deleted the plugin. Still problem is there. I contacted the hosting company and they told they don't use any caching on shared hosting. I asked them whether they are using Ngnix fastcgi to serve static pages. There main server is Ngnix and application server is Apache. They replied me to add these to .htaccess file.

Header set Cache-Control "max-age=0, private, no-cache, no-store, must-revalidate"

Just added the thing to htaccess.

Update: still the problem is there even on 1.8. Now deleted open login. Waiting to see whether it is happening again or not. So a VPS is a must for using q2a?!!
by
Hosting company is saying again that they don't have any kind of caching on Apache (cpanel ) hosting as default.

They are suggesting to change the setting of cache expire time or check the site's code.

According to them a VPS can't make any change.
by
Login problem has been a big headache. I think it happens when concurrent processes are at their limit. Entry process limit is there for all shared hosting plans. So whenever there is much activity or site is busy we can expect a login problem.

So I moved to VPS today. VPS is a must if you are serious about your q&a site.
by
VPS and cPanel is a must for running a trouble-free q&a site.
...