Users are logging as as others glitch

[JoshWho]

Hello,

I went to login in to my account and was taken to Huntress's user panel, where I am able to change information. This happened to me yesterday with "ManOutOfTime" as well yesterday duing Zack's fundraiser. I did not enter any creditenals either time and was already logged in to their account. I would consider this a major secuirty risk as personal infomration and creating new passwords are both accessable,

Please see attached screenshot of me logged in to account with full access.

Thank you o/

-Strathmore

included screenshot

[JoshWho]

Has to be something with cache Daniel. How else would this be possible?

[DanielnetoDotCom]

Not sure how it is possible but are you able t reproduce it?

Maybe is a cache but if is a cache you will not be able to change anything

I have never seen this happening before

[JoshWho]

I never had it happen to me yet. But if a customer is saying it I am sure it is happening.

[JoshWho]

Not sure how it is possible but are you able t reproduce it?

Maybe is a cache but if is a cache you will not be able to change anything

I have never seen this happening before

True. That is what I am thinking but hopefully it is a guarantee

[JoshWho]

I seen this before with cache plugins on wordpress and cloudflare one time I remember did this. I have nothing external. No cloudflare or Page speed or anything it is all native Avideo running it.

[JoshWho]

Just no cache for crucial pages is the best way

Like no cache for My Account, wallet mY Videos etc... Anything personal do not cache

[JoshWho]

I have seen login redirects showing my password in the address bar and was wondering if related.

[DanielnetoDotCom]

I have no idea, but I must be able to reproduce it to help.

Otherwise not much I can do

Let me ask this

1. Is it only the account page?
2. Are you able to change something in someone else account? (I do not think so)

[JoshWho]

I do not know because I never seen it yet with me. Hate for it to be discovered by the wrong person. I just think the best way to fix this is no cache on logged users. Or no cache on personal pages. As long as nothing personal is being snapshotted they won't be able to do it again.

Like only cache what guest and bots can abuse

[DanielnetoDotCom]

Only first page is cached, it may be something else

[JoshWho]

Cookie or Session Management Issues: Sometimes, web platforms might have issues with how they handle cookies or user sessions. If there's a mix-up or if cookies aren't properly cleared or managed, a user might end up accessing another user's session. This has been hinted at in broader discussions about login issues on various platforms.

Cache and Browser Issues: If users are accessing the platform from shared devices or networks (like public computers or libraries), there might be issues with cached login credentials. If the previous user did not log out properly, the next user might automatically be logged into that account.

Server or Application Errors: There could be bugs within the platform itself where user sessions are not correctly isolated or terminated. This might happen if there's a flaw in the session handling code of the website.

For Platform Developers: They should ensure robust session management, provide clear options for logging out, offer session management tools for users, and maybe implement more frequent automatic logouts or session validation checks.

[DanielnetoDotCom]

Sorry but ai info now is useless

[JoshWho]

Sometimes. It is not GPT I use Grok which has more dev access and real time to todays things.

[JoshWho]

Says:

To mitigate these issues in AVideo or similar platforms:

Implement Robust Session Management: Ensure that sessions are securely managed with unique session IDs, proper expiration times, and secure cookie flags (like HttpOnly and Secure). Use Secure Protocols for Login: Ensure that login credentials and session tokens are transmitted over HTTPS to prevent session hijacking. Regular Security Audits: Regularly audit the code for security vulnerabilities, especially in authentication and session management logic. User Session Validation: Implement continuous or periodic validation of user sessions to ensure the user's identity throughout their activity on the site. Clear Documentation and User Education: Provide clear instructions for users on how to securely use the platform, especially in shared environments. Error Handling: Errors should be handled in such a way that they don't reveal or mix session data. Users should be guided to log out and clear cookies if login issues persist.

[DanielnetoDotCom]

[JoshWho]

This is the issue. The customer some how can

[JoshWho]

Questioning how someone somewhere else got the exact link that had a user session when they clicked it, only tells me the cache served them that.

[JoshWho]

Cache is serving users sessions. To me that is clear as day

[JoshWho]

Like asking how building seven at world trade center fell into its footprint. Occam's razor, the columns had to be blown at the same time.

[DanielnetoDotCom]

I see so the user can modify info?

If yes this is not cache it is in the session, I will need to do some tweaks in the session id , but I need to confirm if he can modify it or not

[JoshWho]

They stated they logged out and did not touch it afraid to be accused of hacking.

[DanielnetoDotCom]

FYI cache and sessions are 2 completely different things

[DanielnetoDotCom]

After logout he could login properly?

[JoshWho]

Somehow they was given a link that has someone else user session. I can't see how else it could be possible.

[JoshWho]

After logout he could login properly?

correct

[JoshWho]

Has to be a session thing.

[JoshWho]

I just reapplied forcing the non www last night in the virtual host directory, when I discovered people were able to use both www and non www. No clue if related but might be.

[DanielnetoDotCom]

Can you please check this update, it make the session more secure.

[JoshWho]

I have no way to see if it is solved other than asking the user to just tell us if he sees it again.

[DanielnetoDotCom]

I just sent you new updates, I found something else.

[JoshWho]

Thank you. Will keep open for next couples days until there is no more people saying they see this.

[JoshWho]

So far so good. Closing for now. Thanks again.