On Tuesday 09 October 2007 05:13:44 Daniel Carrera wrote:
Hello,
I have a Drupal 4.7 website (I think it's 4.7) and some of my users are experiencing login problems. "Alice" will log in and end up inside "Bob"'s account. Alice can see Bob's account details, edit his blog, etc. Alice is 100% logged in as Bob.
Alice and Bob are in the same building, probably behind a firewall.
Does anyone know what could cause this problem? My first guess is that they are using a shared computer and Bob forgot to log out, but I'm not sure that this is true (btw, this is a school, Alice is a student and Bob a teacher, and Bob is not happy that his students can use his account).
How does Drupal store login information? Does it use a cookie? Or does it use the IP address? I have every reason to believe that Alice and Bob would show up as the same IP, so I hope that's not what Drupal uses. If Drupal only uses cookies, then that means that Bob didn't log out, right? Or is there another possibility?
Thanks for the help.
Cheers, Daniel.
My personal take on this is that if Bob can't be bothered to log out, then he deserves what he gets, but I know that doesn't fly to well with the user population. :^) I have a site where this was a problem, so I changed the cookie_lifetime setting in the settings.php file to 0 to force the user to be logged out every time they close their browser. Be warned, however, because of the various caches, it may be a while before everyone is completely affected.