Users automatically logged in after logging out

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • findingpeace
    New Member
    • Jan 2013
    • 28

    [Forum] Users automatically logged in after logging out

    We have a big security issue here. Several users are reporting that when they log out, and then return to the site, they are still logged in. I have verified it from several different browsers / computers.

    Is this a known issue with vBulletin 4.2.1?

    Our htaccess file is empty. We've disabled mod expires, headers, and eAccelerator in our apache configuration. We've disabled any caching options in the vBulletin configuration file. Any other ideas? We really need to get this one figured out ASAP

    Thanks!

  • Zachery
    Former vBulletin Support
    • Jul 2002
    • 59097

    #2
    They have multiple cookies and your cookie configuration is breaking things.

    Change your cookie prefix from bb to vb in your config.php file. Then make sure your cookie domain is just the default setting, same for the cookie path. Finally, make sure everyone is accessing the site from the proper url that is set in the AdminCP, if its www.domain.com, make sure users are redirected if they come in on domain.com (note the lack of the www) or vise versa.

    Comment

    • findingpeace
      New Member
      • Jan 2013
      • 28

      #3
      Prefix is already vb - cookie domain and path are defaults. I think you are definitely onto something with the www / non www thing.

      If I log into www.site and log out, I am still logged in without www

      How exactly should I write this redirect? Can I just change cookie setting to .site.com? Right now it is just the default Blank

      Thanks!

      Comment

      • Zachery
        Former vBulletin Support
        • Jul 2002
        • 59097

        #4
        Then change it again, to something like myvb (cookie prefix) and make sure your webhost has a redirect setup to make sure all of the traffic comes into the right area.

        Comment

        • findingpeace
          New Member
          • Jan 2013
          • 28

          #5
          The redirect definitely works - www.mysite.com loads the site. But it's not a redirect. It shows as www.

          If they access mysite.com, it shows as that (no www)

          Comment

          • Zachery
            Former vBulletin Support
            • Jul 2002
            • 59097

            #6
            Then you need to ask your webhost how to set that up,. it'll prevent cookie conflicts.

            Comment

            Related Topics

            Collapse

            Working...