Hi Sumit, Without a URL it would be difficult to debug your application especially since you have customized it. Your issue requires some debugging. Can you repeat?
Taher Alkhateeb On Jul 29, 2015 8:56 PM, "Sumit Pandit" <meetsumit...@gmail.com> wrote: > Hi Jacques, It is at 12.04 r1662960. > > And Taher, for which page! I am not sure. As I have mentioned that it was > reported by end user and he has informed that when he accessed the site he > found himself loggedin. The issue is on production deployment and has > reported by couple of users only. Not occurring for everyone. It was not > produced at staging or development server. > > BTW the case - > Person A log in to URL xyz, then clicks the logout button, then person B > enters the URL abc on the same computer and he is automatically logged in > It is not possible, since it is confirmed that Person A & Person B are > living in different cities. They does not share common computer even not > network. > > > One thing that I should mentioned that it is upgrade deployment from 11 to > 12 where ofbiz is at 12.04 r1662960 and ecommerce is customize to fix > upgrade issues. > We are connecting to *same db* as it exist for production *env at 11.* > > > Following are entries of controller.xml for login & main page > > <request-map uri="main"><response name="success" type="view" value="main" > save-current-view="true"/></request-map> > <request-map uri="login"> > <event type="java" path="org.ofbiz.webapp.control.LoginWorker" > invoke="login"/> > <response name="success" type="view" value="home"/> > <response name="error" type="view" value="login"/> > </request-map> > > > > On Wed, Jul 29, 2015 at 10:51 PM, Taher Alkhateeb < > slidingfilame...@gmail.com> wrote: > > > In Addition to Jacques's question, what is the exact URL being accessed > in > > the beginning? > > > > Also if possible, can you give us the exact steps to repeat? For example, > > Person A log in to URL xyz, then clicks the logout button, then person B > > enters the URL abc on the same computer and he is automatically loggged > in. > > It is important to see the "Exact URL" and exact steps and if possible > also > > the controller.xml entry corresponding to this URL. > > > > Taher Alkhateeb > > > > ----- Original Message ----- > > > > From: "Jacques Le Roux" <jacques.le.r...@les7arts.com> > > To: dev@ofbiz.apache.org > > Sent: Wednesday, 29 July, 2015 6:42:03 PM > > Subject: Re: Unauthorized user loggedin > > > > Which version are you using? > > > > Jacques > > > > Le 29/07/2015 17:23, Sumit Pandit a écrit : > > > Hi Taher, Appreciate your revert, > > > > > > Logs has already analyzed, logger is set to warning and nothing is > > > available there, it is like normal user login with not error/warning > > > printed. For user's feedback reference, I have a screenshot which he > had > > > shared showing my account of that user. > > > There are no customization done at framework level, Project is using > > > default ecommerce login of OFBiz. > > > > > > Server is running on Linux box with postgres DB. > > > That are all answers of your questions. I would provide more details as > > > your request. > > > > > > > > > On Wed, Jul 29, 2015 at 8:15 PM, Taher Alkhateeb < > > slidingfilame...@gmail.com > > >> wrote: > > >> Hi Sumit, > > >> > > >> You're providing little information to go on with. Can you at least > > provide > > >> some server logs, the context on which this happened, users feedback, > > the > > >> environment in which the system is running, which screen, > customization > > >> done to the framework? > > >> > > >> Taher Alkhateeb > > >> On Jul 29, 2015 5:07 PM, "Sumit Pandit" <meetsumit...@gmail.com> > wrote: > > >> > > >>> Hi All, > > >>> Recently for one of the client's deployment, I am getting a serious > > >>> security issue - > > >>> > > >>> Some of frontend customers has reported that when they had login to > > site > > >>> then the it was opened as loggedin with different user account. And > > they > > >>> were able to access "my account" of that user. > > >>> > > >>> I can confirm that > > >>> 1. there is no close network connection between both of the customers > > >> (one > > >>> who was accessing the site & one whose account has opened). > > >>> 2. Both user has different username exist in system. > > >>> 3. The account which was showing as logged in, has not accessed the > > site > > >>> since long. > > >>> > > >>> This issue has reported by many users and causing serious problems. > > >>> > > >>> Can someone help me by giving any clue why it is happening? Any > > solution? > > >>> > > >>> -- > > >>> Thanks and Regards > > >>> Sumit Pandit > > >>> > > > > > > > > > > > > > -- > Thanks and Regards > Sumit Pandit >