In order for that to happen cookie wise you would  have to have multiple accounts signing in from one computer.   Are all your accounts from one computer?

Also have you made any changes lately, new plugins, moving sites, anything at all?

Dave +1

Alain, have you installed any plugins or did anything to your website, like code modification or something else, when this issue started to occur?

Try to disable 3rd party plugins if you have any and see if the issue persists. 

If it does, please, keep the 3rd party plugins disabled, switch to the default theme and PM me the access details of the users which becomes another one, so we could take a look at the issue. 

Hi guys ! 

Already thanks for your advises.

The users are from many different locations in Europe.  So it's not related to one single computer using multiple accounts.

It's not clear for me when it started.  I think it just became noticeable when more users were using the site.

I can't related it with some plugins, neither with a version of Oxwall.  I'm using version 1.7.3 now but the problem was also visible when I was using 1.7.2.

I'm using the Google Plus theme now.  But the problem also there when I used the Crayon theme.

Apart from some small CSS changes, I only changed some custom code for the IP tracking.  I'm using Varnish caching, so I had to change the IP by the X-Forwarded-For IP address, otherwise I would see all users coming from the address 192.168.3.104 (which is my Varnish server).  I have also tried to set the Varnish server in passthrough mode (for not caching anything) but the symptom still returned.

The following purchased 3rd party plugins are being used :

- Affiliates

- Country Flag

- Link Track

I added some some modules after I had already seen the symptoms.

I had already disabled "Link track" but that didn't rule out the problem

I'll with disabling the "Affiliatates" plugin after announcing that to the users.

Disabling the "Country Flag" plugin is not possible as this information is necessary for the information in the profiles.

My site was not moved from another location.  It's still the first installation, but just upgraded from 1.7.2 to 1.7.3.

i was looking at the country flag plug in made by roderick, is this the one you use, i noticed that it hasnt been updated and is for oxwall version 1.6 only

I'm sorry Alain, but we need to steps how to reproduce the issue or at least the access details of the users in order to check it 

Hi Ross,

Currently I have my firewall directly pointed to the Apache webserver for incoming communication on port 80.  So my Varnish server is not touched at all now.  I'll add a new post here after a few days if the incidents don't occur anymore, or I post immediately as soon as the same symptom appears again.

If it appears again from now on, I'll disable the "Country Flag".  I remember that it took me some efforts to disable a "Geo IP lookup function" that caused a serious bug in there.  So it's indeed a version that needs a serious update.  But it works now for me and I would miss the flag if it's not there. 

Nevertheless, stability and safety first.

I keep you up-to-date about my finding from Varnish and the "Country Flag" plugin.

A next conclusion.

Avoiding traffic via my Varnish server was obviously no solution.  It only made made my website slower and I have noticed today that I was suddenly another user which was recently on our site.

Imagine that also the opposite can happen : another user suddenly becomes the administrator of the site ==> He/she loads pictures in my profile (hopefully decent ones) or has the bad intentions to destroy the site in minutes by using the backend.

The next thing I can try is to disable the "Country Flag" but that will possibly destroy all the country information of all users.

Alain, do you have any other 3rd party plugins, if so disable them as well, just make a default software which you had when you just installed it. And see if the issue persists or try to reproduce it

As to the plugin - I don't think that Country flag stores any kind of information to show flags. 

Thanks for your advice, Ross, but I really have nothing special except from the paid plugins. 

Since a few days, I tried the following experiment.

I disabled the setcookie command in the user.php script by placing 2 slashes (//) in front of the line.  So far, this seems to avoid my problem.  At least nobody picks my admin session, neither I become another user all of a sudden.  But as a matter of precaution, I make sure that I log off from the site if I have no more actions to do on the site.

--- changed function in user.php -----------------

 public function signOut()    {
        OW::getUser()->logout();
        if ( isset($_COOKIE['ow_login']) )        {            //setcookie('ow_login', '', time() - 3600, '/');        }        OW::getSession()->set('no_autologin', true);        $this->redirect(OW::getRouter()->getBaseUrl());    }

----------------------- end of function --------------------------

You have varnish set up all wrong.  Its not a cookie issue at all it is a cache issue.  The users r seeing a cashed version of a previous user. The old version of varnish use to have to set a listen port for incoming and a rebroadcast port for outgoing, but now the latest version uses port 80 for local and web because they are 2 separate things. If you have managed web hosting I would contact your hosting provider and ask them to setup varnish on your domain for you. 

This is something that has to be correctly setup or it will keep serving everything it caches to all users going to your site.

I use Varnish, Memcache, and Opcache and have no problems with seeing the users ip addresses.

You saying you had to modify it because you was seeing local addresses from your users tells me your apache is not showing the correct side of varnish.

Hi Joshwho !

Thanks for your contribution in the discussion.  If I would suspect something that does something wrong with the site, it would be Varnish.  Therefore, I did more than telling Varnish to pass to the webserver directly instead of using any cache.  I even skipped the Varnish server completely in the communication one day : see my comments on the 22nd of May and the next day.  Memcache was disabled at the same time.  Even without Varnish server involved, it was no help : when I continued my session, I saw that I was actually another user at that time.  So I logged off and cleared my cookie and than it was possible again to log on as administrator.

As I was planning to use Varnish from the very beginning, I knew I had to do something with the reported IP addresses but that's all fine.  I had instructed Varnish to forward the real IP address.

So far, all seems to be under control since changing the signOut function in the user.php though I suppose the solution must be more than just this.  

I write new comment to the ticket if I have no more ideas.  I can't even tell about what site it is as that's dangerous in my case as an anonymous user can become administrator in certain circumstances.  It happened once that an unknown visitor could delete the half of the site at night.  So I had to restore it from backup.

Frankly speaking, I don't have a hosting provider.  I host it at home and all my servers are Ubuntu 14.04 LTS on VMware ESX.  I can change a lot if I want to.

sounds like some one rfi a shell to your server if they was able to delete your site. i recommend centos for your server os and use mod_security and mod qos on your apache and also use cloudflare and a smtp relay for your email that way you can hide your server ip. I also recommend you to use dome9 to run your firewall and it can block all access to direct ip and just allow cloudflare. it also blocks users from bruting into ftp ssh and other functions you do not want to access the server.

Wish you best of luck with your project. Glad your fix worked in the user file.   Peace.

Alain, can you please PM me your admin details and CPanel access details. 

Also can you please deactivate all caching systems and plugins beforehand. I'll check the issue. 

Hi JoshWho, Ross,

Thanks for you hints.  

First of all, I don't expect any intrusion.  I have a severe firewall which is right behind my cable modem.  

It must have something to do with some kind of caching, I still hope.  I have a look of what else can be turned off.

In the meanwhile, I can tell that the problem is not gone.  The following happened.

When I start up my computer and I go to the site, I'm immediately another user.  So even before logging on since about 20 hours ago.  Perhaps this symptom happens between other users too. But so far it looks like nobody is becoming administrator anymore since the exclude of the setcookie command.

Something else I forgot to tell but it happens more rarely.  From time to time, especially when I forget to log off from the site, it looks like I'm sending stupid newsfeeds with just two characters randomly : like "YT", "BH", "RP", "OQ", ....what ever.  I just delete the posts when I seem them appearing.  I do the same when this happend for another user.  

This is really strange.

I keep my investigations posted.

I consider your proposal, Ross.

Alain, If I may pop in here, you can probably save a whole lot of time and trouble if you let Ross check things out. I had problems with my site, I gave him access to my server, my site admin login, everything. Ross found all problems, fixed them, and my site has been running perfectly ever since. (Thanks Ross!) 

He is trustworthy and quite good at finding and resolving problems.

Alain, I'm sorry but we cannot reproduce neither of the problems you described, on our side. Which is why we need to take a look at your server environment,  settings

OK.  I think there's no other way as I'm lost.  Ross, let me know in PM what accesses you need.  SSH, PhpMyAdmin, ..... ?

Should I make an exact copy of the website (including database) on the same server with just another subdomain ?  More and more visitors are subscribing and the problem described is a disaster.  Even now, I saw that sombody became my user and placed comments to other users while I didn't do that.  I had to delete the comments afterwards.

PM me your FTP, phpmyadmin and admin access details, if you don't have ftp then ssh access details. Don't forget before sending pm, disable all caching plugins and systems you have on your server/website. 

No need to copy your installation, I can check the original one. 

Hello Ross,

I've sent you the details for getting in a copy of my website.

After sending a recent newsletter, I experienced several mixes of events like a newsfeed that said that user A uploaded 6 new photos while it was user B that uploaded the pictures.  I had to correct the mistakes on the website in the database directly.

I see that Oxwall 1.7.4 is available.  I'd like to update ASAP in the hope that the strange issues with the user mixes disappear.