It would be any url. There is no customization in login services or any other framework services. This issue is not predictable. I think it is an issue of session. Somehow it might be shared.
On Thu, Jul 30, 2015 at 12:49 AM, Taher Alkhateeb < [email protected]> wrote: > Hi Sumit, > > Without a URL it would be difficult to debug your application especially > since you have customized it. Your issue requires some debugging. Can you > repeat? > > Taher Alkhateeb > On Jul 29, 2015 8:56 PM, "Sumit Pandit" <[email protected]> wrote: > > > Hi Jacques, It is at 12.04 r1662960. > > > > And Taher, for which page! I am not sure. As I have mentioned that it was > > reported by end user and he has informed that when he accessed the site > he > > found himself loggedin. The issue is on production deployment and has > > reported by couple of users only. Not occurring for everyone. It was not > > produced at staging or development server. > > > > BTW the case - > > Person A log in to URL xyz, then clicks the logout button, then person B > > enters the URL abc on the same computer and he is automatically logged in > > It is not possible, since it is confirmed that Person A & Person B are > > living in different cities. They does not share common computer even not > > network. > > > > > > One thing that I should mentioned that it is upgrade deployment from 11 > to > > 12 where ofbiz is at 12.04 r1662960 and ecommerce is customize to fix > > upgrade issues. > > We are connecting to *same db* as it exist for production *env at 11.* > > > > > > Following are entries of controller.xml for login & main page > > > > <request-map uri="main"><response name="success" type="view" value="main" > > save-current-view="true"/></request-map> > > <request-map uri="login"> > > <event type="java" path="org.ofbiz.webapp.control.LoginWorker" > > invoke="login"/> > > <response name="success" type="view" value="home"/> > > <response name="error" type="view" value="login"/> > > </request-map> > > > > > > > > On Wed, Jul 29, 2015 at 10:51 PM, Taher Alkhateeb < > > [email protected]> wrote: > > > > > In Addition to Jacques's question, what is the exact URL being accessed > > in > > > the beginning? > > > > > > Also if possible, can you give us the exact steps to repeat? For > example, > > > Person A log in to URL xyz, then clicks the logout button, then person > B > > > enters the URL abc on the same computer and he is automatically loggged > > in. > > > It is important to see the "Exact URL" and exact steps and if possible > > also > > > the controller.xml entry corresponding to this URL. > > > > > > Taher Alkhateeb > > > > > > ----- Original Message ----- > > > > > > From: "Jacques Le Roux" <[email protected]> > > > To: [email protected] > > > Sent: Wednesday, 29 July, 2015 6:42:03 PM > > > Subject: Re: Unauthorized user loggedin > > > > > > Which version are you using? > > > > > > Jacques > > > > > > Le 29/07/2015 17:23, Sumit Pandit a écrit : > > > > Hi Taher, Appreciate your revert, > > > > > > > > Logs has already analyzed, logger is set to warning and nothing is > > > > available there, it is like normal user login with not error/warning > > > > printed. For user's feedback reference, I have a screenshot which he > > had > > > > shared showing my account of that user. > > > > There are no customization done at framework level, Project is using > > > > default ecommerce login of OFBiz. > > > > > > > > Server is running on Linux box with postgres DB. > > > > That are all answers of your questions. I would provide more details > as > > > > your request. > > > > > > > > > > > > On Wed, Jul 29, 2015 at 8:15 PM, Taher Alkhateeb < > > > [email protected] > > > >> wrote: > > > >> Hi Sumit, > > > >> > > > >> You're providing little information to go on with. Can you at least > > > provide > > > >> some server logs, the context on which this happened, users > feedback, > > > the > > > >> environment in which the system is running, which screen, > > customization > > > >> done to the framework? > > > >> > > > >> Taher Alkhateeb > > > >> On Jul 29, 2015 5:07 PM, "Sumit Pandit" <[email protected]> > > wrote: > > > >> > > > >>> Hi All, > > > >>> Recently for one of the client's deployment, I am getting a serious > > > >>> security issue - > > > >>> > > > >>> Some of frontend customers has reported that when they had login to > > > site > > > >>> then the it was opened as loggedin with different user account. And > > > they > > > >>> were able to access "my account" of that user. > > > >>> > > > >>> I can confirm that > > > >>> 1. there is no close network connection between both of the > customers > > > >> (one > > > >>> who was accessing the site & one whose account has opened). > > > >>> 2. Both user has different username exist in system. > > > >>> 3. The account which was showing as logged in, has not accessed the > > > site > > > >>> since long. > > > >>> > > > >>> This issue has reported by many users and causing serious problems. > > > >>> > > > >>> Can someone help me by giving any clue why it is happening? Any > > > solution? > > > >>> > > > >>> -- > > > >>> Thanks and Regards > > > >>> Sumit Pandit > > > >>> > > > > > > > > > > > > > > > > > > > > -- > > Thanks and Regards > > Sumit Pandit > > > -- Thanks and Regards Sumit Pandit
