Q: Why does my account log on to another website in another place (such as Shanxi) after I log on with an account in a local place (such as Beijing? For example, I logged on to segmentfault in Beijing, and others opened the segmentfault official website in Shanxi... q: Why does my account log on to another website in another place (such as Shanxi) after I log on with an account in a local place (such as Beijing?
For example, when I log on to segmentfault in Beijing and other people go to the segmentfault official website in Shanxi, my account is displayed, maybe it's because I haven't clicked the exit button, maybe the browser is closed, or something else.
Currently, it is suspected that automatic logon is selected during logon, or the exit button is not clicked, but the problem is not tested yet. Hope that the children's shoes who have encountered such problems will provide their ideas or solutions.
Reply content:
Q: Why does my account log on to another website in another place (such as Shanxi) after I log on with an account in a local place (such as Beijing?
For example, when I log on to segmentfault in Beijing and other people go to the segmentfault official website in Shanxi, my account is displayed, maybe it's because I haven't clicked the exit button, maybe the browser is closed, or something else.
Currently, it is suspected that automatic logon is selected during logon, or the exit button is not clicked, but the problem is not tested yet. Hope that the children's shoes who have encountered such problems will provide their ideas or solutions.
Because the server uses session to save your logon status.
Before the session expires or you log off, the server will always think that you are logged on and display the component of the logged on user on the page.
It seems that I have understood the wrong question ......
- The browser has cookies. To avoid repeated logon, websites usually record the logon information to cookies during logon, so that the cookies can be used when the page is closed next time, saving the trouble of logon.
- During logon, there are usually options for the user to choose how long to log on. During this validity period, the user will automatically log on to the account in the same browser, even if you have closed the browser.
- If you do not want to log on automatically, you can choose not to log on automatically. You can log out manually or clear cookies.
- Generally, cross-browser (cross-kernel) cookies are not common. However, it is still possible to force synchronization, such as terminating IE extensions.
- Generally, cross-machine synchronization is not common, but many browsers still have extensions or functions to synchronize cookies.
- Automatic Logon still occurs when you exclude logon, Cookie synchronization, and other situations. This is basically a problem with website design. Generally, cookies do not directly store pre-logon information (such as username and password, even encrypted), but store post-logon information, usually called tokens ). A poorly designed system may have a token conflict or an incorrect read recognition error, causing logon to another user's account. MS has seen a lot of chestnuts ...... For example, the 12306 magic horse ......
This issue is not related to cookies. It is obvious that SessionId is a string number.
When you open this website, the server sends you a random number as your ID card, for example:
123456789. Because the numbers sent to each person are random, they can be considered unique, but not absolute. There may be problems with the random algorithms used by website programs, the generated random number is the same, that is, the number 123456789 is given to another person, and then you two are considered to be the same person .....
According to the news, this problem has occurred on the slag wave Weibo. It should be because there are too many users, which leads to a higher chance of conflict...
To verify whether this is the case, you can use the cookie check tool to check whether it is repeated on both sides.
Another principle is session hijacking. A malicious user obtains the sessionId in the user cookie by means such as xss, in terms of programs, you are the user, and then hackers can exercise all the permissions of this user.
Therefore, when the sessionId is placed in the cookie, remember to set it to httponly and encrypt the transmission.
Additionally, the cache mentioned above is also possible. Maybe some cdns or ISPs of the five scum classes cache your request results, but the chances of this situation should not be high, in this way, more than one person will be affected, and users using this CDN or ISP will be affected.
If you do not log out, the website will not take the initiative to delete your cookie. If the cookie does not expire, your login status will not change.
First, the server cannot identify users without discussing cookies. If this IP address is logged on, it does not mean that there is only one host after this IP address, nor does it mean that there is only one browser on the host.
Therefore, the Cookie came out. When you first access (or log on), you will be given a Cookie. In the future, each request will carry the Cookie, and the server will view the Cookie value after receiving it, find the corresponding record of the Cookie and check your information (in this example, check whether you have logged on ).
Of course, each Cookie in the browser has an expiration time, And the Cookie is deleted directly after it expires. Therefore, on the server side, each Cookie corresponds to a storage file (usually calledSession
There is also an expiration time, that is, the Session is deleted directly after the expiration.
Therefore, obviously, the client Cookie and the corresponding server Session are lost, so the server cannot know your logon status.
The final reason is (in fact, all people have said): the browser Cookie is not invalid, and the server Session is not invalid.
The session is uniquely identified, so it must be that the session is not invalid. When a remote user accesses the session, the cookie indicates the session ID. There is only one possibility.
To be honest
You forgot a question.
That is, the website itself is faulty.
For example, a University visited its official mobile phone website in the first time.
Directly logged on to a user at random
I just provide a possibility ..
This problem was previously encountered on the 17K. I set up automatic logon. Once I opened the website, I directly logged on to someone else's account.
The number of persons upstairs does not seem to be clear.
The subject has already said that there is no cookie problem because someone else logs in from another location.
It will not be a session issue.
Program problems are the most likely!
Let me talk about a possibility.
This problem occurs on a website we wrote before. If someone else does not log in, their accounts will automatically appear.
Check that we are a school project and the page is cached by the server at the exit of the school network center.
We can add no-cache by ourselves.