Developer forum

Forum » CMS - Standard features » User Sessions got messed up

User Sessions got messed up

E-mail notifications
Adrian Ursu
Reply
Posted on 06/05/2016 23:43:36

Hi Guys,

I have a customer that reported repeteadly that he (or other users) are logged in by default on other users account when visiting the site.

The user account in cause were not accessed form those computers at any point so it's not just a mess of cookies. It's probably something related to Sessions.

It has not been reported by other clients nor could we reproduce the behavior but they've sent me printscreens from what they have seen.

Anyone else experienced this before?

The application version is 8.7.2.8. The solution was continuously updated over time but I belive we have not used any of the security patches.

Thanks,

Adrian

 


Replies

 
Nicolai Høeg Pedersen
Posted on 09/05/2016 13:22:01
Reply

We do not have anything on record on an issue like this.

You can look in GeneralLog to see what might have happened on a given user. You can use the timestamp from that and statv2session.Statv2SessionExtranetUserID to see what might have happened. I have hard time to see how they can take over each others session... Unless they share username or something like that.

 
Adrian Ursu
Posted on 09/05/2016 14:41:13
Reply

I know. It's hard for us to reproduce the setting as well.

They did not share the username. The printscreen we got from the client is based on a new anonymous session and the user they have been logged as, it's not even one from their company.

This customer is using the Load balancing with ARR. Maybe that could be the cause?

Thanks,
Adrian

 
Nicolai Høeg Pedersen
Posted on 09/05/2016 14:53:04
Reply

ARR could be the issue - if it is setup in a wrong way...

It has to be configured with Round Robin in a “Shared network content infrastructure” - and sessions have to be sticky.

 
Adrian Ursu
Posted on 09/05/2016 15:51:37
Reply

I have attached a PDF with a few screenshots of the settings. I am using Weighted Round Robin and Sessions are stored "In Process".The session settings are at website level and the other settings are for the ARR farm.

Thanks,

Adrian

 
Nicolai Høeg Pedersen
Posted on 09/05/2016 16:02:00
Reply

I am not an expert, but it looks right. The client affinity checkbox is the important one...

 

You must be logged in to post in the forum