Forums / Setup & design / Undesired switching of user accounts

Undesired switching of user accounts

Author Message

Rikard Ahrgren

Thursday 08 January 2009 10:34:35 am

I'm not sure if this is the right place, so please bear with me.
I have a strange problem in which a user is logged in to another users account by simply accessing the same page as the another within a short period of time.

Consider the following scenario:
One user logs in and accesses a few pages and logs out. Then another user with exactly the same rights as the first user accesses the same page a couple of minutes later.
The second user will then have been switched to the first user's account, but not with the rights to edit the first user's personal information or objects. When the second user accesses another page which the first one haven't he is switched back to his original account, but as soon as he goes to a page the other user has accessed, he is logged back to that user.

Worth to mention is that it only works if the users are a member of the same groups. Two different user with different rights does not affect each other. It works no matter if it is from the same computer or two different, from different ip-addresses.

I cannot imagine this to be a general bug, but i have no idea why it does so on my site.. I'm quite new to ez publish. Please help me.

By the way, I'm using ez publish 3.9.0.

Kristof Coomans

Thursday 08 January 2009 10:50:10 pm

Hi Rikard

Does this concern pages that were cached by the content view caching system? See http://ez.no/developer/articles/ez_publish_performance_optimization_part_3_of_3_practical_cache_and_template_solutions/caching_overview. If you want to put user specific information into node views, then you need to disable content view caching.

independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org

André R.

Friday 09 January 2009 4:11:15 am

ezwebin on eZ Publish 3.9.0 had a issue where it caches pagelayout header (using cache block) pr users with same rights, and not pr user. So your not logged in as another user, it's just another users user name that shows up on the webpage( so no security issue besides seeing the name of another user an his user id in the markup).

You can update ezwebin to 1.2 to get the fix, but you'll need to update eZ Publish as the updated uses nested cach-block's witch didn't work on 3.9.0 (fixed in a later 3.9.x version so use latest 3.9.x version or newer).

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Rikard Ahrgren

Friday 09 January 2009 4:35:47 am

Thank you very much for your help! Disabling templatecache in site.ini.append solved my problems

Regarding the issue in 3.9.0, it sounds exactly like the problem, but when I used
{def $current_user=fetch( 'user', 'current_user' ) } in a template file it also gave the wrong user. And if the user was trying to change personal settings while the wrong name was shown it stated that the apporiate rights was missing for that account.

André R.

Friday 09 January 2009 5:25:53 am

fetch current user issue, see Kristof's post.
No rights to edit: This is caused by the fact the user id is in the url, so if you get wrong name you also get wrong url.

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom