Jump to content

Forum issue? Getting logged into other peoples accounts at random


Dai

Recommended Posts

  • Paid Members
Just now, Moo said:

Do you mean on ukff.com or more generally? Caching issues are quite common, but I don't think we've ever had this issue on ukff.com before, ever. 

I mean more generally. Just curious how you figured out what happened and how it got solved - I'm guessing, if similar effects have happened on other forums, that made it easier to solve.

Link to comment
Share on other sites

3 hours ago, Keith Houchen said:

And see which members they were bitching about behind their backs. Verrry interesting…

Ok. I posted this as I thought it was funny to shit people up as I am assuming people have said how other members are arseholes via PM. True to form, nobody else did. 
 

I’m sorry for any anxiety caused by this. It was obviously bollocks as Moo and others have explained how PMs couldn’t be read. 

Link to comment
Share on other sites

Not that I don't believe you @Moobut I absolutely was able to click the messages button at the top and saw a list of someone's PMs, headings and first line of content.

Are we assuming therefore that that account had happened to open their own inbox and then I did the same and saw their cache?

Link to comment
Share on other sites

  • Admin
5 minutes ago, Loki said:

Not that I don't believe you @Moobut I absolutely was able to click the messages button at the top and saw a list of someone's PMs, headings and first line of content.

Are we assuming therefore that that account had happened to open their own inbox and then I did the same and saw their cache?

Yep - that's exactly what would have happened - the person's PMs you saw would be someone who had visited the forum during the time period and had opened their messages during that time.

Link to comment
Share on other sites

  • Admin
10 minutes ago, Keith Houchen said:

Ok. I posted this as I thought it was funny to shit people up as I am assuming people have said how other members are arseholes via PM. True to form, nobody else did. 
 

I’m sorry for any anxiety caused by this. It was obviously bollocks as Moo and others have explained how PMs couldn’t be read. 

To be clear - that is not the case. Someone could have seen DMs from another account if that person had read their own DMs during the time period. Because of the way caching works, it's sort of a roll of the dice whether you saw your own DMs or someone else's who was also accessing the forum at around the same time in the same location.

Link to comment
Share on other sites

28 minutes ago, Moo said:

So a request to a website with a CDN cache (like we have) works like this:

Your browser > Content Delivery Network (CDN) Cache > ukff.com server

If the URL is in the cache, then the content is returned without talking to our server, like this:

Your browser > Content Delivery Network (CDN) Cache

A typical CDN has maybe 100+ different caches around the world. If we assume most UKFF visitors are from the UK (logical!?) then there's maybe 3-4 different cache locations people typically would be routed to. Under normal circumstances, logged-in content would not be cached at all - and traffic would skip the cache and be delivered *only* to you.

However, during the time period of ~1300 yesterday to ~0930 today the CDN was caching too aggressively. What that means is if you were the first person to hit http://ukff.com/some/url in lets say the London location yesterday when the issue started, the version of http://ukff.com/some/url that you saw would go into the cache. If I came along after that and requested the same http://ukff.com/some/url URL, I might see your version of the page. So individual logins weren't compromised or leaked, but you might have seen the HTML that was destined for me because my version got cached before you. It's an important distinction between that and a database leak which is where someone gets the entire database of all users and content, forever. That is not what happened. The tricky part is it's really hard to be certain exactly what pages were cached and from which accounts... but suffice to say if you did not visit ukff.com while logged in during the time period, your pages will absolutely not have been put into the cache at all and therefore nobody else could have seen them.

The fix was to remove the caching configuration and purge the cache completely, which is what happened at ~0930 today. At that point, all cached pages were removed.

Mate, if I didn't understand the first post, I'm not gonna understand that am I? 😂

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...