Invalid $user object after logout and fbconnect conflicts

I have the exact same issue and setup. Does anyone have a solution to it?

What is caching engine and handler are you using? (e.g. APC, Memcache, Cache Router module, Memcache API module)

yrre7 -- are you also using fbconnect?

Yes, I have FB Connect as well and I use Cache Router.

It's most likely a conflict with the fbconnect module, though I can't see anything obvious of what it might be at the moment.

Even tho I have FBconnect module, but I use some dummy users to login to the site without using FBconnect. It might not be the fbconnect problem then?

yrre7, do you have Boost installed as well? Maybe Boost is causing a conflict. Can you try disabling modules until it works? It is difficult to debug unless I can reproduce the issue. Thanks.

Hi Jonah,
I disabled Boost module, but the problem seems still persist. I will try to see if I can find other modules to disable tomorrow.

I have disabled the FBconnect module, it still has the same problem. I don't really have any other cache or login related modules.

Thanks

Tracking as an anticipation, in case I'll be there real soon this month: RPXnow, memcache, authcache.

Thanks

Just wondering, is this issue gonna be fixed?

I have the same problem!!! The system logs with the last user account I have used (before the logout) and it takes up to 3 login attempts till the actual user can access the system.

Although it doesn't happen every time but randomly like in #9, it happens often and this would be as far as I can see a big security issue if a user logging into his own account suddenly enters the account of another user and has access to whole his data ... I was trying to notice some pattern for the failure but without success :(

For caching I am using Memcached + CacheRouter + Authcache + BlockCache Alter. I don't have Boost or FB Connect ...

It is a lovely module and the only one for caching authenticated traffic, which is essential for my app, but with such an issue I don't think it would be a good idea for me to use it in a production site :(

Thanks
Nikolay

This is beginning to sound like a cookie issue, since Authcache gives the browser an additional user cookie when logged in. Does anyone have any special cookie/session/domain settings?

I wouldn't call it a big security issue, since the session is persisting to the last account the user logged in with (i.e. the user already has access). Authcache does not directly handle Drupal sessions; it just gives the browser a cookie after a user logs in and then expires it after they log out.

Of course, I need to be able to reproduce this issue to fix it.

Hey Jonah,

you are absolute right. It ain't an issue and this could only happen if two users use the same machine and the same browser to access the system. I don't know how I could help you resolve the problem, since I'm not so good at programming, but just using the Power Of Observation :) I can tell, that when this problem occurs following cookies are not being set:
- drupal_uid
- drupal_user
- authcache
- DRUPAL_UID

An accurate login sets those cookies and on log out they are deleted.

Should I do something else to help you resolve this issue?

Thanks for the help in advance!
Nikolay

Hey Jonah,

I just tackled this issue once again and I found that the problem is not in the AuthCache module. In my case the problem resides in the DrupalChat module. I have just noticed it after installing the AuthCache module and thought the problem could be in this module... Anyway, thanks for the great module!

Greets,
Nikolay