hello, I have had Amember running on my sites for almost 5 years now and this last week a problem arose. on one site, it is possible for a person to randomly assume the membership session details of another member who may have recently logged on. i use php_include and run he check on all pages every so often this has recently happened and this can have disastrous results for our site. i rebuilt the dbase a few times now, but stil the problem is there is there anything that can be done to beef up session security/uniqueness? this is forcing me to have to close my busy website until support or someone can shed some light (linux latest 3.x amember) I have had a ticket since the weekend but there is no answer yet.
1. In addition to WP Super Cache, APC or Memcache included in your environment? 2. Is a live customer seeing the issue or are you concerned because you were able to produce the issue in your testing?
hello, sorry for the delay getting back.. 1. memcache is being used on the server, but not for session handling or user-page caching. 2. live customers at one point did see this issue quite a lot. I had to put some temporary ip-checking in to see if the ip address they logged in with changed at all during their time on the site... (it does for quite a few, and for those i log them out immediately). 3. it is not a wordpress site. 4. is there a possibility that the cookie size could get too big and get corrupted or cause issues? 5. i do use some ajax polling around twice a minute and that also calls the check.inc.php routine. The problem was very strange because member would seem to inherit the session of another member.
Only time I've seen session cross over issues was with caching (and actually wasn't a session issue, but rather showing a statically cached page that included content for other user). Based on your list, I would investigate memcache as a possible culprit.