Users posting as other users
By vivalditec on Friday, 25 September 2015
Posted in Technical Issues
Replies 5
Likes 0
Views 519
Votes 0
Hi Stackideas.

We have been dealing with a scary bug lately that causes users to post as other users.

We get this error in our logs quite often and I suspect it might be related:

PHP Notice: A session had already been started - ignoring session_start() in /var/www/administrator/components/com_easysocial/includes/oauth/clients/facebook/facebook.php on line 61

Also, a non-logged in user was suddenly logged into an account he doesn't own, that account has a row in the xx_session table, with an empty session id

The facebook oauth plugin is disabled in the easysocial applications backend, I tried deleting it and got this:
"Sorry, but you are not allowed to delete a core application"
Hey vivalditec,

I am really sorry for the delay of this reply as it is a weekend for us here.

I have a little bit lost here, do you mean that when User A logged in your site and post something in Easysocial, the stream show User B posted this stream?

Can you provide us with your Joomla backend and FTP access so we can better have a look?

Also can you provide us some screenshot about this "facebook oauth plugin" ? what is the full name from the application?
Arlex Wong
·
Saturday, 26 September 2015 13:33
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Arlex,

Here's the scenario: User A visits our site, is logged in as User B.

Here's a link to a very similar issue: http://issues.joomla.org/tracker/joomla-cms/5214 , we already applied the fix in the joomla core, and suspect a similar change is needed in the facebook oauth plugin.




And again, here's the error we see often in the logs:

PHP Notice: A session had already been started - ignoring session_start() in /var/www/administrator/components/com_easysocial/includes/oauth/clients/facebook/facebook.php on line 61
vivalditec
·
Tuesday, 29 September 2015 01:00
·
0 Likes
·
0 Votes
·
0 Comments
·
Hey vivalditec,

I am sorry that delay of this reply,

Perhaps you can try open this file and modify to : JoomlaFolder\administrator\components\com_easysocial\includes\oauth\clients\facebook\facebook.php


//LINE 60

    if (!session_id()) {



// Replace with

    if (!session_id() && !isset($_SESSION)) {


And see how it goes? If the issue still persists, can you provide us with your Joomla backend and FTP access so we can help you check on this?
Arlex Wong
·
Tuesday, 29 September 2015 11:10
·
0 Likes
·
0 Votes
·
0 Comments
·
Thanks Arlex, I'll try this and report back
vivalditec
·
Tuesday, 29 September 2015 18:36
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Vivalditec,

You are most welcome. Keep us updated.
Ezrul Fazwan
·
Tuesday, 29 September 2015 18:42
·
0 Likes
·
0 Votes
·
0 Comments
·
View Full Post