Forums

Home » Liferay Portal » English » 2. Using Liferay » General

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Pete Helgren
User switched to another user randomly
September 20, 2012 2:23 PM
Answer

Pete Helgren

Rank: Regular Member

Posts: 141

Join Date: April 7, 2011

Recent Posts

We have had an increase in volume on our web site and began to see what we first thought was incorrect user feedback but then we began to experience it ourselves directly. A user will log in but another user's role and information will be "adopted". It is absolutely random and we have been unable to find out the reason. This article hints at a solution:

http://portal.krypthonas.de/2012/01/13/critical-liferay-security-issue-user-is-logged-in-as-another-user/

The solution is to turn off caching as suggested setting value.object.finder.cache.enabled to false in portal-ext.properties. There is also a partial post on that web site that says: Actually, the proper fix would be to use a different hash key generator in the util-spring.xml: So add a ext-spring.xml with the following entries: (but no entries are included in the post)

What I find, as usual in the Struts, Spring environment is that the fix goes in an .xml file but of course *where* to find the file is always a missing piece of information. We have our LifeRay 6.0.6/Glassfish domain folder like so:

/usr/share/bsfLiferay/liferay-portal-6.0.6/glassfish-3.0.1/domains/domain1/

Turns out that *every* application folder in domain1 has a portal-ext.properties file and every application folder has an ext-spring.xml so *which* folder has the correct one to tweak??? or do I add a new portal-ext.properties file somewhere to add the value.object.finder.cache.enabled=false to (or the ext-spring.xml file hash key generator mods).

This seems very much like a caching issue and I could see how hash collisions might occur. Can anyone give me a clear, complete, step by step of which files to change and where so I can prevent this serious issue from occurring?

Thanks
Samuel Kong
RE: User switched to another user randomly
September 20, 2012 10:24 PM
Answer

Samuel Kong

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1383

Join Date: March 10, 2008

Recent Posts

The issue you referenced in that article should be LPS-24837 and is already fixed in the latest version of Liferay Portal. You can check github for the commits for this fix.
Pete Helgren
RE: User switched to another user randomly
September 21, 2012 5:47 AM
Answer

Pete Helgren

Rank: Regular Member

Posts: 141

Join Date: April 7, 2011

Recent Posts

Thanks Samuel. This issue might actually be closer to the one found in LPS-12715. However, I can't figure out *which* ext-spring.xml file should be used since every application folder has one. Is there a "general override" location we can put the ext.spring.xml file so that it will work?