We have had an increase in volume on our web site and began to see what we first thought was incorrect user feedback but then we began to experience it ourselves directly. A user will log in but another user's role and information will be "adopted". It is absolutely random and we have been unable to find out the reason. This article hints at a solution:

http://portal.krypthonas.de/2012/01/13/critical-liferay-security-issue-user-is-logged-in-as-another-user/

The solution is to turn off caching as suggested setting value.object.finder.cache.enabled to false in portal-ext.properties. There is also a partial post on that web site that says: Actually, the proper fix would be to use a different hash key generator in the util-spring.xml: So add a ext-spring.xml with the following entries: (but no entries are included in the post)

What I find, as usual in the Struts, Spring environment is that the fix goes in an .xml file but of course *where* to find the file is always a missing piece of information. We have our LifeRay 6.0.6/Glassfish domain folder like so:

/usr/share/bsfLiferay/liferay-portal-6.0.6/glassfish-3.0.1/domains/domain1/

Turns out that *every* application folder in domain1 has a portal-ext.properties file and every application folder has an ext-spring.xml so *which* folder has the correct one to tweak??? or do I add a new portal-ext.properties file somewhere to add the value.object.finder.cache.enabled=false to (or the ext-spring.xml file hash key generator mods).

This seems very much like a caching issue and I could see how hash collisions might occur. Can anyone give me a clear, complete, step by step of which files to change and where so I can prevent this serious issue from occurring?

Thanks