Permanently logged in with the wrong user

Ghost version 5.46.0
Ubuntu 20.04

I’m running into a very serious bug.

I am automatically logged in with a random user registered on my site.

  • I have never logged in with this credential or impersonated him
  • Even if I’m logged in, the login or subscribe button always appears at the top left instead of the logout and profile button
  • Even if I click logout, the page refreshes but I always remain logged in with that user.
  • I have completely cleared the cache from cloudflare
  • I restarted Ghost
  • I restarted the server
  • I deleted that user from the database but I am still logged in as that same user
  • I tried from different browsers

This is a really big problem, I as well as anyone else could end up logged in with a random subscriber user that I don’t own

What evidence are you using to say you’re logged in as the user?

What do your cookies look like when you visit the site?

What theme are you using?

1 Like

if I click on login / register, the user profile popup opens, I see the name, email and chosen plan.

I think the problem was related to a cache service that I use, turning it off seems to have returned everything to normal.

what I don’t understand is why I was logged in with that user.

Most likely you have cached the login request.

Or you’ve cached the page when it was served to a logged in member. If you have caching set up you need to be careful to not cache or serve cached responses to requests that have member cookies attached.

1 Like

sorry for the delay in replying.
from what I understand it happened just like that, a new automatically enabled caching service, cached the page just when that specific user logged in.