Developer forum

Forum » CMS - Standard features » User Sessions got messed up

User Sessions got messed up

Adrian Ursu
Reply

Hi Guys,

I have a customer that reported repeteadly that he (or other users) are logged in by default on other users account when visiting the site.

The user account in cause were not accessed form those computers at any point so it's not just a mess of cookies. It's probably something related to Sessions.

It has not been reported by other clients nor could we reproduce the behavior but they've sent me printscreens from what they have seen.

Anyone else experienced this before?

The application version is 8.7.2.8. The solution was continuously updated over time but I belive we have not used any of the security patches.

Thanks,

Adrian

 


Replies

 
Nicolai Høeg Pedersen
Reply

We do not have anything on record on an issue like this.

You can look in GeneralLog to see what might have happened on a given user. You can use the timestamp from that and statv2session.Statv2SessionExtranetUserID to see what might have happened. I have hard time to see how they can take over each others session... Unless they share username or something like that.

 
Adrian Ursu
Reply

I know. It's hard for us to reproduce the setting as well.

They did not share the username. The printscreen we got from the client is based on a new anonymous session and the user they have been logged as, it's not even one from their company.

This customer is using the Load balancing with ARR. Maybe that could be the cause?

Thanks,
Adrian

 
Nicolai Høeg Pedersen
Reply

ARR could be the issue - if it is setup in a wrong way...

It has to be configured with Round Robin in a “Shared network content infrastructure” - and sessions have to be sticky.

 
Adrian Ursu
Reply

I have attached a PDF with a few screenshots of the settings. I am using Weighted Round Robin and Sessions are stored "In Process".The session settings are at website level and the other settings are for the ARR farm.

Thanks,

Adrian

 
Nicolai Høeg Pedersen
Reply

I am not an expert, but it looks right. The client affinity checkbox is the important one...

 

You must be logged in to post in the forum