In Addition to Jacques's question, what is the exact URL being accessed in the beginning?
Also if possible, can you give us the exact steps to repeat? For example, Person A log in to URL xyz, then clicks the logout button, then person B enters the URL abc on the same computer and he is automatically loggged in. It is important to see the "Exact URL" and exact steps and if possible also the controller.xml entry corresponding to this URL. Taher Alkhateeb ----- Original Message ----- From: "Jacques Le Roux" <jacques.le.r...@les7arts.com> To: dev@ofbiz.apache.org Sent: Wednesday, 29 July, 2015 6:42:03 PM Subject: Re: Unauthorized user loggedin Which version are you using? Jacques Le 29/07/2015 17:23, Sumit Pandit a écrit : > Hi Taher, Appreciate your revert, > > Logs has already analyzed, logger is set to warning and nothing is > available there, it is like normal user login with not error/warning > printed. For user's feedback reference, I have a screenshot which he had > shared showing my account of that user. > There are no customization done at framework level, Project is using > default ecommerce login of OFBiz. > > Server is running on Linux box with postgres DB. > That are all answers of your questions. I would provide more details as > your request. > > > On Wed, Jul 29, 2015 at 8:15 PM, Taher Alkhateeb <slidingfilame...@gmail.com >> wrote: >> Hi Sumit, >> >> You're providing little information to go on with. Can you at least provide >> some server logs, the context on which this happened, users feedback, the >> environment in which the system is running, which screen, customization >> done to the framework? >> >> Taher Alkhateeb >> On Jul 29, 2015 5:07 PM, "Sumit Pandit" <meetsumit...@gmail.com> wrote: >> >>> Hi All, >>> Recently for one of the client's deployment, I am getting a serious >>> security issue - >>> >>> Some of frontend customers has reported that when they had login to site >>> then the it was opened as loggedin with different user account. And they >>> were able to access "my account" of that user. >>> >>> I can confirm that >>> 1. there is no close network connection between both of the customers >> (one >>> who was accessing the site & one whose account has opened). >>> 2. Both user has different username exist in system. >>> 3. The account which was showing as logged in, has not accessed the site >>> since long. >>> >>> This issue has reported by many users and causing serious problems. >>> >>> Can someone help me by giving any clue why it is happening? Any solution? >>> >>> -- >>> Thanks and Regards >>> Sumit Pandit >>> > >
