Getting logged in as others.

[Alasdair]

So I have now managed to log in as other people on more than one occasion after rebooting my machine. Why is this happening? I am assuming it has something to do with the fact they probably work at the same place I do and when I reboot I get an IP address they they have used at one time or another and I am auotmatically logged on. Is this correct?

[gapertimmy]

the matrix has you.

 

lets see, do you share a computer? the only way this may happen is if there is a cookie set on that computer

[Alasdair]

I dont share my computer with anyone. Last time this happend I got logged in as PLC.

[gapertimmy]

interesting, perhaps it could be the IP and the session from teh same IP is still active in the database, the best bet is to make sure you log out, and this should terminate the session from that IP

[vegetablebelay]

Dan, izzat you?

[JoshK]

Where do you work? Should I be concerned?

[jon]

So maybe Dan, Peter, Jen, and Pierce all work at the same place? That explains everything!!!! Sorry Dan!

[Alasdair]

JoshK said:

Where do you work? Should I be concerned?

You should be very concerned. ALL YOUR BASE ARE BELONG TO US!

[slothrop]

That sounds like bogus session management. Shouldn't there be a session key associated with each session, sent on every request in a cookie or as part of the URL? I know PHP does this automatically if you enable the session.use_trans_sid option. It sounds like Alasdair is getting someone's session ID... maybe it's embedded in the URL he's using to get to the site? Does logging out properly destroy the session and all the session variables?

 

Maybe you could set sessions to expire more often, though that would force people to log in more often.

 

[Ade]

ALL YOUR BASE ARE BELONG TO US!

 

How fuckin nerdy is that.

[Cpt.Caveman]

I have had this done before too. That's when it's time to be really malicious.