My app is logging guests in as users

A couple of things:

First check your routes/web.php files, especially the route /home, then check your HomeController.

Search your entire codebase using a Global Search with your IDE. Mine is PHPStorm and on the MacOS the command for this is:

Cmd+Shift+F

Search for things like:

loginUsingId

loginUsingId(

loginUsingId($user)

auth()->loginUsingId(

auth()->loginUsingId

Auth::loginUsingId

Auth::loginUsingId(

auth()->login

auth()->login(

auth()->login($user)

Auth::login

Auth::login(

If you find any matches examine it to see if any suspicious code exists there where in the method signature you are passing a hardcoded value of a User id

Hope this helps.

Also it helps if you use a package like this one:

https://github.com/barryvdh/laravel-debugbar

The package will assist you in finding/troubleshooting various stuff related to your Laravel application.

We're not sure how you did it either without any code to look at.

When I visited the link I got a login form and entered fake credentials, I got the "These credentials do not match our records." message, so it seems to be working here?

Thanks, I will search for that. Also want to mention it doesn't matter what route you hit, the guests are logged in. I just used /home since that's familiar to everyone using Laravel.

My HomeController code is below (I don't see anything suspicious)

<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use App\Reseller;

class HomeController extends Controller
{
    /**
     * Create a new controller instance.
     *
     * @return void
     */
    public function __construct()
    {
        $this->middleware('auth');
    }

    /**
     * Show the application dashboard.
     *
     * @return \Illuminate\Contracts\Support\Renderable
     */
    public function index()
    {
      $user = auth()->user();

      if ($user->role == 2) {
        // is Clue Admin
        $resellers = Reseller::orderBy('name')->get();
        return view('home')->with(compact('user', 'resellers'));
      } elseif ($user->role == 1) {
        $resellers = $user->resellers;
        return view('home')->with(compact('user', 'resellers'));
      } else {
        $practices = $user->practices;
        return view('home')->with(compact('user', 'practices'));
      }

      // foreach ($user->practices as $practice) {
      //   echo($practice->name);
      // }
    }
}

All I see is a login page?

What makes you think people are logged in?

I have hit it from some cell pones and a couple remote users. It doesn't seem to happen for everybody, but others it does.

I didn't post code as I'm not sure the best way to do that at this community. My whole GitHub repo?

Well i've actually was logged in automatically when i visited the page. Then i logged out of the user, so maybe that's why the rest can't reproduce the problem.

@andresayej indeed it seems to be whatever the last logged in user is — logging out might stop the behavior. Could this be some kind of guest session issue? I'm very confused at this point.

@dpaanlka It's definitely related to sessions, but can't actually point out exactly where. Post the github repo and i can take a look at it.

Also want to mention it doesn't matter what route you hit, the guests are logged in.

It didn't log me in. I tried and it wouldn't let me.

This is your dev site... are you sure people who don't have an account on the main site don't have the "remember me" cookie activated? That would let them right into your development site since they on the same server and share the same domain, unless you changed some session settings to not allow that. What is the SESSION_DOMAIN set to in each environment? The same domain?

@andresayej repo location: https://github.com/cluedentalmarketing/muvi-patient-education/tree/staging

The staging branch is what is live at that dev.muvidental.com domain

@cronix some other users have been logged in. It seems whichever the last user to login, will be logged in for all guests until someone logs out.

Seems like it is solved. Cause I can't enter in your home page without logging in.

Here's a screenshot of the sessions table in my database currently https://imgur.com/a/1KnrLZp

@shraiyan47 it is not solved somebody just logged out. I just logged back in so now opening a new incognito window should log you in unless somebody else logs out again

@andresayej I notice in my screenshot all the IPs are 172.16.1.3 even for all of you folks who visited just now. I believe that's a Cloudflare IP address. Could Cloudflare be causing this?

Did you change something? I'm now getting an SSL error (server is presenting *.azureservers.net certificate)

I've just disabled Cloudflare caching and trashed all sessions. The SSL won't work at the moment, however I'm not able to reproduce the original problem now with Cloudflare disabled.

EDIT: Re-enabled cloudflare

@dpaanlka So i've examined the codebase, even installed it locally and ran the seeders.

Locally i can't reproduce the problem, also nothing in your code around authentication nore sessions would suggest a guest or a random person can be logged in automatically (especially for the last successfully logged in user)

Whatever is going wrong is in your server or some kind of cache related to the sessions.

EDIT: Just saw your replies regarding CloudFlare, yep this seems like a right candidate to mess up things around sessions revalidation and/or caching which could cause this kind of problems, but only if you are using the local cache driver. The case may be different if using the database driver for sessions.

@andresayej thanks for looking into that so quickly. Just to be clear, you did yourself get logged in automatically the first time you visited?

Are there any special considerations when using a CDN like Cloudflare? After briefly disabling Cloudflare I wasn't able to reproduce the problem. But I would imagine plenty of Laravel sites use Cloudflare?

@andresayej I am using the database driver FYI

Yep the first time it logged me in automatically.

About the special considerations around Cloudflare:

Not that i know of, especially around sessions. For things like assets sure, maybe implement cache-busting strategies.

Thanks a ton @andresayej — I'm going to get back to working on this some more without Cloudflare for the time being. I've never had Cloudflare interfere with sessions on any of my other sites (although none of them are Laravel-based). If this comes up again I'll post updates.

@dpaanlka Yeah try with Cloudflare disabled for a while.

In the meantime as previously suggested:

https://github.com/barryvdh/laravel-debugbar

https://laravel.com/docs/5.8/telescope

Are great packages you can leverage to inspect many parts of your application especially when troubleshooting.

My advice is to use them for a while. Also keep an eye on your log files generated in storage/logs as to observe for any abnormalities your application may produce.

Happy coding :)

@andresayej thanks, I have telescope already, although I admittedly don't know how to wield its power, and will look into Debugbar.

Unfortunately I can also say that with Cloudflare caching disabled, it is again exhibiting the same behavior.

With Cloudflare disabled, it's probably easier to visit the unencrypted test site at http://dev.muvidental.com/home/ — doing so, you should be logged in as a user.

@dpaanlka not logging in automatically when visiting the provided link in Safari/Chrome/Chrome Incognito nor Firefox.

Can you check storage/logs if there is something?

@andresayej sorry, I had trashed the sessions one more time. If you visit now in incognito, you should be logged in again.

I will have a look in storage logs — anything in Telescope I should look for?

@dpaanlka which hosting server you are using? I've had happened to face the same issue on my GoDaddy hosting. Once I log in, it is not asking me to login again even if I visit the auth protected page in incognito mode or in a new browser. And the weird thing is that my client in another country was able to see that page too, without logging in.

@mutahhar I am experiencing this on Azure. Since my last post I've started working with Azure tech support team to hopefully track down what is happening here. I was essentially experiencing the same exact symptoms you describe (still am).

However creating a fresh new Azure site and uploading the exact same code, this behavior is NOT happening. Now waiting to hear back what the difference is and hopefully identify the source of the issue. I am very alarmed about this!

Hey friends, I just wanted to update everyone on what's going on with this, in case anyone runs into a similar issue deploying to Azure Web Apps. After more than a week, the Azure support team has finally narrowed down what is going on here. It turns out there was nothing wrong with my code at all.

Azure has an optional feature called App Service Authentication/Authorization that allows you to configure and manage a user authentication system within the Azure dashboard rather than inside your app. It works by spinning up a middleware container that all user requests are routed through.

I have never used this feature, but somehow my account's "web app template" (that's what they called it) has become corrupted and has been spinning up this unused middleware container along with my app containers even though I have this feature disabled.

Because of this Laravel is seeing ALL visitors as the one visitor, thus sharing a single session. This explains why my visitors were all being logged in as each other.

I am posting this here in case anyone in the future encounters the same sessions issues with Azure App Service. You can identify the issue by opening Azure log stream in another tab and then restarting your web app. If you see two containers being started, this is the cause of the issue.

I have posted a screenshot here

@dpaanlka This is very valuable information thank you for taking the time to share it so anyone could benefit if/when facing a similar problem.

Also that is a true testament that even a big player like Microsoft Azure can mess up things quite big. Glad that you have resolved your problem and that all of us learned a thing or two from the particular scenario.

I really do hope that Microsoft Azure gave you some credits on them because of their screw up and as much as i understand that anybody can make mistakes the moral thing to do is to reimburse you for the troubles and nerves.

A good Azure alternatives are: Amazon AWS (despite the crappy UI and confusing UX/Docs) their services are very full-spectrum and world-wide scabale. DigitalOcean - Amazingly good UI/UX/Docs, cheaper and predictable pricing.

P.S: i'm kind of happy my "spidy" sense has led me to believe that this was some kind of issue on the server. P.S 2: to all developers - try diving into others people questions/problems about applications because it's very helpful for your personal solution thinking.