Ghost version 5.46.0
I’m running into a very serious bug.
I am automatically logged in with a random user registered on my site.
I have never logged in with this credential or impersonated him
Even if I’m logged in, the login or subscribe button always appears at the top left instead of the logout and profile button
Even if I click logout, the page refreshes but I always remain logged in with that user.
I have completely cleared the cache from cloudflare
I restarted Ghost
I restarted the server
I deleted that user from the database but I am still logged in as that same user
I tried from different browsers
This is a really big problem, I as well as anyone else could end up logged in with a random subscriber user that I don’t own
What evidence are you using to say you’re logged in as the user?
What do your cookies look like when you visit the site?
What theme are you using?
if I click on login / register, the user profile popup opens, I see the name, email and chosen plan.
I think the problem was related to a cache service that I use, turning it off seems to have returned everything to normal.
what I don’t understand is why I was logged in with that user.
mjw
April 30, 2023, 8:10am
4
Most likely you have cached the login request.
Kevin
April 30, 2023, 8:19am
5
Or you’ve cached the page when it was served to a logged in member. If you have caching set up you need to be careful to not cache or serve cached responses to requests that have member cookies attached.
sorry for the delay in replying.