ofbiz-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sumit Pandit <meetsumit...@gmail.com>
Subject Re: Unauthorized user loggedin
Date Thu, 30 Jul 2015 09:55:41 GMT
It would be any url. There is no customization in login services or any
other framework services. This issue is not predictable.
I think it is an issue of session. Somehow it might be shared.

On Thu, Jul 30, 2015 at 12:49 AM, Taher Alkhateeb <
slidingfilaments@gmail.com> wrote:

> Hi Sumit,
>
> Without a URL it would be difficult to debug your application especially
> since you have customized it. Your issue requires some debugging. Can you
> repeat?
>
> Taher Alkhateeb
> On Jul 29, 2015 8:56 PM, "Sumit Pandit" <meetsumit002@gmail.com> wrote:
>
> > Hi Jacques, It is at 12.04 r1662960.
> >
> > And Taher, for which page! I am not sure. As I have mentioned that it was
> > reported by end user and he has informed that when he accessed the site
> he
> > found himself loggedin. The issue is on production deployment and has
> > reported by couple of users only. Not occurring for everyone. It was not
> > produced at staging or development server.
> >
> > BTW the case -
> > Person A log in to URL xyz, then clicks the logout button, then person B
> > enters the URL abc on the same computer and he is automatically logged in
> > It is not possible, since it is confirmed that Person A & Person B are
> > living in different cities. They does not share common computer even not
> > network.
> >
> >
> > One thing that I should mentioned that it is upgrade deployment from 11
> to
> > 12 where ofbiz is at 12.04 r1662960 and ecommerce is customize to fix
> > upgrade issues.
> > We are connecting to *same db* as it exist for production *env at 11.*
> >
> >
> > Following are entries of controller.xml for login & main page
> >
> > <request-map uri="main"><response name="success" type="view" value="main"
> > save-current-view="true"/></request-map>
> > <request-map uri="login">
> >         <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
> > invoke="login"/>
> >         <response name="success" type="view" value="home"/>
> >         <response name="error" type="view" value="login"/>
> > </request-map>
> >
> >
> >
> > On Wed, Jul 29, 2015 at 10:51 PM, Taher Alkhateeb <
> > slidingfilaments@gmail.com> wrote:
> >
> > > In Addition to Jacques's question, what is the exact URL being accessed
> > in
> > > the beginning?
> > >
> > > Also if possible, can you give us the exact steps to repeat? For
> example,
> > > Person A log in to URL xyz, then clicks the logout button, then person
> B
> > > enters the URL abc on the same computer and he is automatically loggged
> > in.
> > > It is important to see the "Exact URL" and exact steps and if possible
> > also
> > > the controller.xml entry corresponding to this URL.
> > >
> > > Taher Alkhateeb
> > >
> > > ----- Original Message -----
> > >
> > > From: "Jacques Le Roux" <jacques.le.roux@les7arts.com>
> > > To: dev@ofbiz.apache.org
> > > Sent: Wednesday, 29 July, 2015 6:42:03 PM
> > > Subject: Re: Unauthorized user loggedin
> > >
> > > Which version are you using?
> > >
> > > Jacques
> > >
> > > Le 29/07/2015 17:23, Sumit Pandit a écrit :
> > > > Hi Taher, Appreciate your revert,
> > > >
> > > > Logs has already analyzed, logger is set to warning and nothing is
> > > > available there, it is like normal user login with not error/warning
> > > > printed. For user's feedback reference, I have a screenshot which he
> > had
> > > > shared showing my account of that user.
> > > > There are no customization done at framework level, Project is using
> > > > default ecommerce login of OFBiz.
> > > >
> > > > Server is running on Linux box with postgres DB.
> > > > That are all answers of your questions. I would provide more details
> as
> > > > your request.
> > > >
> > > >
> > > > On Wed, Jul 29, 2015 at 8:15 PM, Taher Alkhateeb <
> > > slidingfilaments@gmail.com
> > > >> wrote:
> > > >> Hi Sumit,
> > > >>
> > > >> You're providing little information to go on with. Can you at least
> > > provide
> > > >> some server logs, the context on which this happened, users
> feedback,
> > > the
> > > >> environment in which the system is running, which screen,
> > customization
> > > >> done to the framework?
> > > >>
> > > >> Taher Alkhateeb
> > > >> On Jul 29, 2015 5:07 PM, "Sumit Pandit" <meetsumit002@gmail.com>
> > wrote:
> > > >>
> > > >>> Hi All,
> > > >>> Recently for one of the client's deployment, I am getting a serious
> > > >>> security issue -
> > > >>>
> > > >>> Some of frontend customers has reported that when they had login
to
> > > site
> > > >>> then the it was opened as loggedin with different user account.
And
> > > they
> > > >>> were able to access "my account" of that user.
> > > >>>
> > > >>> I can confirm that
> > > >>> 1. there is no close network connection between both of the
> customers
> > > >> (one
> > > >>> who was accessing the site & one whose account has opened).
> > > >>> 2. Both user has different username exist in system.
> > > >>> 3. The account which was showing as logged in, has not accessed
the
> > > site
> > > >>> since long.
> > > >>>
> > > >>> This issue has reported by many users and causing serious problems.
> > > >>>
> > > >>> Can someone help me by giving any clue why it is happening? Any
> > > solution?
> > > >>>
> > > >>> --
> > > >>> Thanks and Regards
> > > >>> Sumit Pandit
> > > >>>
> > > >
> > > >
> > >
> > >
> >
> >
> > --
> > Thanks and Regards
> > Sumit Pandit
> >
>



-- 
Thanks and Regards
Sumit Pandit

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message