The Joomla! Forum ™

Well, the system plugin has nothing to do with the modules. Infact, it won't cahce if a user is logged in... It should have nothing to do with the system plugin...

_________________
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

1. agree. Definitely not a security issue, but users and clients will perceive it as such.
2. agree, not a browser cache problem.
3. I'm not sure what the potential problems with the cache might be, but yes, I suppose something could be messed up there, though if I clean my entire cache and try again, it just happens again. I test using separate browsers (Firefox and IE7) to keep my user sessions separate, using two separate Joomla accounts. To reproduce:

1. Have System Cache turned on.
2. I also have the global config's cache on.
3. login with Firefox as "some user" using either Joomla or CB login module. 4. You should see "welcome <username>" as well as a user menu, if you have one.
5. I then go to my site in IE7, and see "welcome <username>" even though I am not logged in there. Sometimes I will see it in another language, since it's a multilingual site, so some users were seeing Chinese when they only speak English.

Update:
Now all of a sudden this issue has stopped happening to me. I have disabled my custom template code, and it is no longer happening. It has been sporadic, so it may happen again.

I have a decent size site - 3000+ articles, 3000+ users, a forum with a bunch of posts, a bookmarks directory with 2000 or so links, and so on. That's a LOT of files to cache, so maybe the problems arise when the cache gets too large?? Or could there be a conflict between the Global Configuration's cache and the System Cache?

_________________
Plethora Design - http://www.plethoradesign.com.
Joomla extensions - http://www.plethoradesign.com/downloads.

I'm fairly sure I disagree with that. At the time it happened for me, I was able to see someone else's details...I think. That said, it has been quite some time since I had the cache switched on to try, so my recollection is a bit fuzzy.

I will set up a test version of one of my sites and see what happens. In the meantime, I'll go with your comments until I can prove otherwise.

Phil

_________________
http://www.nzmac.com
NZMac.com - Supporting the New Zealand Mac Community

http://www.nziphone.com
NZiPhone.com - the home of the iPhone in New Zealand

I don't remember being able to actually edit someone else's profile though.

_________________
Plethora Design - http://www.plethoradesign.com.
Joomla extensions - http://www.plethoradesign.com/downloads.

Dear Antony,

unfortunatly i totaly disagree

Because within this real existing issue, people are able to SEE the Postbox of another user and they can POST in a shoutbox using the identity of another user.

THIS IS A SECURITY Problem, at least for my personal feeling of beeing secure.




Dear Anthony,
i really won´t be unpolite, so please keep in mind, that english is not my first language.

Your explanatory statement is totally [censored] and discriminatory, because you close your eye and ear from SECURITY problems of a minority group.

With this kind of argument, you could also say:

Why can´t you com out of your personall comfort zone and take Beats findings and use al the peoples offers within this thread to take a look on a real existing problem?

At least YOU would be able to save some Joomla lifes and would be get a place in minor groups heart and prayer.

_________________
Sunny regards

Kurt Steiner aka Bernd
-------------------------------------------
http://www.movegreen.de
Business Club for renewable energy

Hi all.
I have been watching this thread for a couple of months because I am affected of the problem. So far I haven't posted anything since I had nothing to add to the description of the problem nor to a solution.

The fact that I have the problem is now the reason for me to make this post since it seems it is not taken seriously enough.

I hope for a solution soon. If it isn't a security issue then it is a matter of confidence... the opinion of the visitors to my site is that there is a security problem since they are greeted with someone elses login.

/Sven

As can be seen, what is the definition of 'security'?
For some (like me) it is also a security issue if someone other can see my personal settings or my post.

Maybe there is that figure of downloads, but is says nothing about how many people are using Joomla!
And one reason could be - because of 'only 15 or 20 people' - the thread title.
If it would be some like 'Cache issue' or 'Somebody else can see my personal settings' maybe it become more postings?

Finally, i cannot remember myself that something like this happened in Joomla 1.0.x or earlier Mambo.
To say now ' ... this can be only some external ... is not Joomla ... ' is a quick answer, but
1. where/what is the solution?
2. what leeds to this issue/behaviour?

_________________
http://www.joomx.com - custom extensions and development
http://www.joomlasupportdesk.com - support, migration, training and consulting
Member of the German Joomla Translation Team

With the information I have now, that's not possible, hence why I say it's not a security issue. And to KurtSteiner: Security is implemented by sessions, not what a user can or can't see. So just because they can see the "post box" doesn't mean they can use it. Security on the server side would enforce it differently...


Where's the information? I've put well over 100 hours into this issue. Between unit tests, and building loading engines, and the such. I have not even been able to replicate the issue. Nor have I been given access to any site that has this "problem". I have asked MANY times in this thread for information. Only one person (phil_roy) has provided it (Does that mean only one person wants this fixed?). I cannot do this by myself. Maybe what I said before will motivate some people to actually help... If I can get 15 or 20 responses from the Post Assistant (The one linked at the top of every page http://forum.joomla.org/viewtopic.php?f=428&t=272481), maybe we can correlate what's going on here.

_________________
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

Well, i can only confirm what you are saying: ' ... not enough informations ..'.
If everyone who is posting here would provide exact informations about his environement, tracking this issue would be easier.
But only saying 'it does not working for me' is really not enough.

Maybe we could push this issue (and the people) forward in made it more public?

p.s.: i had this once at a Joomla template vendor 2 weeks ago (logged in with my account but could edit another profile and saving it!).
Informed them, but cannot provide any detail at the moment.
Will ask them again if the can give me more informations (maybe within a direct connection between them and you?).

_________________
http://www.joomx.com - custom extensions and development
http://www.joomlasupportdesk.com - support, migration, training and consulting
Member of the German Joomla Translation Team

Yes, mic, exactly.

What I would really like to know is this:

Those of you experiencing this problem:
When you view your page and see "welcome, Notmyusername", are you able to edit that other person's profile? I seriously doubt it. The sessions that handle the logins are separate from the caching, so while you're seeing a module as it cached by a different user (and it should not have been cached), you should not be able to edit anything. For Community Builder Profiles: can anyone confirm whether or not the user profile is being cached the same way the login module is? I have not encountered that, and on my main site I've been testing, the CB login module caching problem just went away by itself. However, this has been such a problem for me that I want to make sure it is truly resolved. I don't want it coming back to haunt any Joomla users.

_________________
Plethora Design - http://www.plethoradesign.com.
Joomla extensions - http://www.plethoradesign.com/downloads.

To be a bit more specific, it was a site using XXX3pd ExtensionXXX and i could (!) edit another members profile and save it.
All under my login data.

_________________
http://www.joomx.com - custom extensions and development
http://www.joomlasupportdesk.com - support, migration, training and consulting
Member of the German Joomla Translation Team

That could (and probably is) an issue with that 3pd extension. I'd suggest contacting the 3pd and reporting it to them (and not publicizing it)...

_________________
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

Mic, could you test using the regular Joomla login module and user menu and see if you're able to edit someone else's profile? It would be good to know if it's your 3rd party extension or Joomla - probably not Joomla, but good to exclude it as a possibility.

_________________
Plethora Design - http://www.plethoradesign.com.
Joomla extensions - http://www.plethoradesign.com/downloads.

To give an answer to both (ircmaxell & cvoogt): i dont know much more at the moment.
It happened on a website not owned by me.
I requested more infos and still waiting for.

It was a strange experience i had never before and reported it immidiately to the website owner (a known company).
And yes, my first suggestion is also that the 3rd party extension is the 'eval'.

When i know more either i will post it here or do that private via pm.

_________________
http://www.joomx.com - custom extensions and development
http://www.joomlasupportdesk.com - support, migration, training and consulting
Member of the German Joomla Translation Team

So I guess I was right in my assumption that this is not an important issue? Otherwise there would be at least 10 posts here by now with details (the post assistant). How quick everyone is to jump on my back when I say something you may not agree with, but when help (and information) is asked for, nobody is found...

Short of any more information, from what I can see, this is not Joomla core...

_________________
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

Things are getting a little heated aren't they? I also got torched by a developer in a CB forum after posting politely to raise awareness of this so I understand some reticence from others who are thinking about posting here. However, I'm just interested in getting this sorted, whatever the cause so here goes.

This dump is from a site with several extensions active including CB 1.2 RC4 but I will also check on another clean installation and post back. Make of it what you will...



Diagnostic Information
Joomla! Version: Joomla! 1.5.8 Production/Stable [ Wohnaiki ] 10-November-2008 23:00 GMT
configuration.php: Not Writable (Mode: 444 ) | RG_EMULATION: N/A
Architecture/Platform: Linux 2.6.18-53.1.6.el5PAE ( i686) | Web Server: Apache | PHP Version: 5.2.6
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5): Yes | iconv Support (1.5): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.67-community ( Localhost via UNIX socket )

Extended Information:
SEF: Enabled (with ReWrite) | FTP Layer: Disabled | htaccess: Implemented
PHP/suExec: User and Web Server accounts are the same. (PHP/suExec probably installed)
PHP Environment: API: cgi | MySQLi: Yes | Max. Memory: 32M | Max. Upload Size: 32M | Max. Post Size: 8M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions:
MySQL Client: 5.0.67 ( latin1 )

2 more questions:

Legacy mode on or off (the plugin)

What are your cache settings:
Global configuration:
Plugin (system-cache):

_________________
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

Legacy on. Only system cache needs to be on for issue to occur.

Right. In my case I also had legacy on, with System Cache + Global Config cache on.
With Legacy + Global Config only, the problem disappeared.

I can't provide the technical specs on my setup right now because I am switching servers at the moment.

_________________
Plethora Design - http://www.plethoradesign.com.
Joomla extensions - http://www.plethoradesign.com/downloads.

If legacy is off, does the problem still occur?

_________________
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

Legacy On
Global Configuration cache On
Plugin System Cache On

Could someone experiencing this issue please try something for me... Change line 113 of /plugins/system/cache.php from


To



Then clear the cache, and try again...

_________________
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

I haven't made the adjustment yet because, annoyingly, the issue isn't occurring at the moment. This seems to be one of the problems in hunting it down. I think I need to be able to access the site from a different network/IP address. Would that make any sense?

For testing, I can't turn legacy off and keep the site running. I have got an unadulterated install to test on too so I'll try both when I can access from two places.

i make this modification

now wait some feedback from my user...

i will let you know in this tread...

Made the modification three hours ago. The issue has not recurred. Previously, the issue always showed up within an hour of enabling the page cache plugin.

If something changes, I'll be sure to post (with the details you requested), though I doubt it will break now. I am interested in what the problem ended up being, and what finally led you to this solution.

Thank you so much for continuing to track this issue, read this thread, and work on the problem. Your efforts and achievements are greatly appreciated.

Hi Anthony,

Apologies for the delay in replying. Here is my diagnostic info



Diagnostic Information
Joomla! Version: Joomla! 1.5.7 Production/Stable [ Wovusani ] 9-September-2008 23:00 GMT
configuration.php: Not Writable (Mode: 755 ) | RG_EMULATION: N/A
Architecture/Platform: Linux 2.6.9-67.0.7.ELsmp ( i686) | Web Server: Apache ( http://www.** ) | PHP Version: 5.2.5
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Disabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5): Yes | iconv Support (1.5): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.51a-community-log ( 127.0.0.1 via TCP/IP )

Extended Information:
SEF: Disabled (with ReWrite) | FTP Layer: Disabled | htaccess: Implemented
PHP/suExec: User and Web Server accounts are not the same. (PHP/suExec probably not installed)
PHP Environment: API: apache2handler | MySQLi: Yes | Max. Memory: 32M | Max. Upload Size: 2M | Max. Post Size: 8M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions:
MySQL Client: 5.0.51a ( latin1 )

I have made the code change you suggested on our test site, with no adverse effects, but the issue is virtually impossible to replicate on test due to the lack of volume of users.

I'm cautious of making the change on our production site until there is a bit more feeback about the fix. What is the code change you proposed designed to do?

I don't know if this helps, so feel free to ignore if it doesn't...

I had this happen once that I know of -- my site consists almost completely of guests coming, checking various music reviews, then leaving. The user accounts that are set up are for my writers, so I know what the behavior "should be" when a user is logged in, because it's a very limited group and they have elevated rights.

I logged in once, about three weeks ago, and noticed that one of the users was logged in -- then I noticed I was logged in as that user. I tried logging in from more than one browser and on a separate machine and, sure enough, I was logged in as that user on each. Since only registered users have access to the Virtuemart implementation on the site, I knew I was logged in at an elevated level because I could see the Virtuemart menu and I hadn't logged in myself.

So then, as a test, I logged into my administrator account and, sure enough, on a different browser, I was logged in as the Admin without actually logging in. This understandably freaked me out so I immediately logged back out on the front en, then went in and cleared all cache. The problem immediately went away.

Since I had been having other issues with 1.5.8 that were pointing to cache as being a problem, I disabled cache completely. The site is noticeably slower, but not ridiculously so, but I have not had the problem since.

All of the above is anecdotal, I realize, but given with respect to all the work going on to tie this problem down ... maybe it sheds some light. If not, disregard.


IRCMaxell -- if you still need volunteers to try this patch, please say so and I'll give it a shot, even though I have only experienced this anomaly once.

So does that mean it's fixed with the above patch?

_________________
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs