What could cause a user to have another user's session?

Hi All,

I’m using Bitnami’s Discourse container for my website and my website has recently gone live. It is working fine except for one serious issue which is users taking on other users’s session randomly.

Using Discourse 2.5.0 with Apache, Passenger, Redis and PostgreSQL. One thing to note that we’ve implemented SSO for our site using Discourse’s SSO options.

I was first suspecting that it could be related to Passenger settings. I’ve verified that we’re using “PassengerSpawnMethod Direct” when I’ve read other people did have this issue with Smart spawn method.

Now I’ve tried various server configurations, reviewed our SSO code for bugs etc but to no avail.

The only clue I have come across is in “user_auth_token_logs” where I see an auth token mixup. I’m just mentioning one of the session mixup cases below.

User 1
UserID: 7547
Username: Wicky
Last login date: 2020/11/12
IP Address: {redacted}

User 2
UserID: 118279
Username: Robin2
Last login date: 2020/11/16
IP Address: {redacted}

User session duration: 1440 hours

The first user reported on 2020/11/17 that when he re-opened the site, he was automatically logged in as the second user. I checked our SSO logs and there wasn’t any SSO activity from these two users on 2020/11/17. I then checked the auth logs. I see the first user’s IP and user agent in second user’s token record and action is “rotate” in that record. There are several other similar cases with similar auth logs. However, there is no discernible pattern that i could see like browser, time of day, gap in between logins etc.

Here is a screenshot of it.
{redacted}

I also wanted to attach the complete auth logs or more screenshots for the two users but I’m not permitted to upload files and only permitted to upload a single screenshot since being a new user.

This is a serious issue for us. It is causing concern among our site’s users so any help on this would be greatly appreciated.

Thanks.

1 Like

We strongly recommend that you follow our official installation guide to self-host discourse. The Bitnami image regularly causes problems, and we cannot support it here.

If you must continue with the current setup, then I would suggest making sure you have no caching configured anywhere between the users and Discourse. If cached responses are being returned to multiple users, that could explain the behaviour you’re seeing.

8 Likes

Hi @david

So I’ve done the official discourse installation as per your recommendation. The site is up and working. I have two custom plugins(written myself) which i would like to add to this site but I’m not sure which directory to place those in. I’ve gone through this tutorial

But the source code of the project is not obviously placed in docker container as it was in bitnami stack that I previously worked with. I am new to this setup and any help on this would be appreciated.

Thanks

To install a plugin in production, you’ll want these instructions:

1 Like