Support » Plugin: Easy Digital Downloads » Problems with “User logged in” shortcode displaying content when not logged in

  • Resolved designdrumm

    (@designdrumm)


    Hello,
    I recently had a situation where I was on a page I created that had the [edd_profile_editor] shortcode in it. I had the page opened in a tab in Safari 10.1 (Mac). I proceeded to log out of my WordPress on another tab and then quit safari (without going to the page with the [edd_profile_editor] shortcode). When I opened Safari, it opens with all the tabs I had open before quitting. When I went to the page with the shortcode, it proceeded to show me account info even though I was clearly logged out. This I feel is a serious security risk and should be address immediately.

    Please advise.
    Thank you,

    Best,
    designdrumm

Viewing 15 replies - 1 through 15 (of 21 total)
  • designdrumm

    (@designdrumm)

    Oh and just to add as a side note. When I refreshed the page, it then proceeded to show me the login form. So this may be a caching issue. Not positive though.

    Best,
    designdrumm

    Plugin Author Pippin Williamson

    (@mordauk)

    Pippin's Plugins and Plugin Reviewer

    It definitely sounds like a caching issue.

    Could you please go to Downloads > Tools > System Info and post the contents here?

    designdrumm

    (@designdrumm)

    Hello Pippin,
    I will not be able to do that as it has sensitive information in it. What do you need from this info? That I may be able to supply, but just posting my system info here is not something I am willing to do.

    Also, as a side note, it happened again today, only this time I was able to click a link to a separate protected page and it did not show me a login screen. So my thoughts are this is not a cache issue after all, but a programming one.

    The other thing I was wondering was. Is there any way you could move the user registration out of WordPress and into your own database? With the abundance of WordPress hacking going on these days, I don’t want to register my business users through WordPress. I intentionally hide my WordPress login page usually.

    TIA

    Best,
    designdrumm

    Plugin Author Pippin Williamson

    (@mordauk)

    Pippin's Plugins and Plugin Reviewer

    Remove the site URL if you feel that’s necessary. Nothing else in the System Info is sensitive.

    designdrumm

    (@designdrumm)

    Hey Pippin,
    I think it has to do with the fact that WordPress will do an ajax call on tabs that are open to see if another tab has logged the user out. That is when you get that box showing the login form on a page you were working on. Your plugin does not look to be hooked into this and so it pulls up sensitive information based off of a previous session in the cookies possibly. I also think that because your login isn’t on the backend, WordPress has no control over logging that page out of the WordPress session cookies. These are all just speculations from behavior I noticed. Not able to test personally for all these.

    If you can hook into whatever checks the login, I think that’ll fix it.

    HTH.

    Best,
    designdrumm

    Plugin Author Pippin Williamson

    (@mordauk)

    Pippin's Plugins and Plugin Reviewer

    I’m sorry but that is definitely not accurate.

    The profile editor doesn’t use ajax at all.

    Does your theme use ajax tabs?

    designdrumm

    (@designdrumm)

    You sure about that?

    When I have a tab open in WordPress and I log out of WordPress on a different tab, when I go back to the other tab, it makes a call to check the login status and if I have logged out, it pops up the login form. Pretty sure that is an ajax call as the page does not refresh to show the login form.

    Plugin Author Pippin Williamson

    (@mordauk)

    Pippin's Plugins and Plugin Reviewer

    I am 100% positive that ajax call does not come from Easy Digital Downloads.

    designdrumm

    (@designdrumm)

    Oh, no, I wasn’t saying that ajax call came from EDD. Was referring to it as an example of what WordPress does on tabs. I was saying this also because your plugin doesn’t honor the login state being loaded. It is still showing account details even if a user has logged out of WordPress.

    Basically with this error I have found, a user could be using a public computer, logout, leave and the next person who uses the computer can see their account details. Doesn’t even have to try to login. I say this is a MAJOR security concern.

    designdrumm

    (@designdrumm)

    I’m afraid I am not going to be able to utilize your plugin until this issue is resolved. Please let me know when you have an update. Thanks.

    Best,
    designdrumm

    Plugin Author Pippin Williamson

    (@mordauk)

    Pippin's Plugins and Plugin Reviewer

    I was saying this also because your plugin doesn’t honor the login state being loaded

    That is not accurate. EDD absolutely does. The only reason it wouldn’t “respect” the log in state is if the page is cached through a caching mechanism on the site. DO you use any caching plugins?

    If you could please post your system info file, I could actually help get this resolved for you.

    designdrumm

    (@designdrumm)

    No, I do not have any caching set up on my site yet.

    Try it yourself. You don’t need my system info to recreate this issue. Simply open two tabs in Safari. One is the WordPress Admin area. The other is a front-end facing page with your account profile shortcode.

    Go to the admin area and log out. Leaving the page with the shortcode alone. Quit Safari then open it back up. When the tabs load, go to the page with the shortcode. You will see your account info.

    Plugin Author Pippin Williamson

    (@mordauk)

    Pippin's Plugins and Plugin Reviewer

    This problem does not happen on any of my sites, local or live. To see it, I need to see it on your site.

    Provide me with access to that and I’ll be more than happy to help track it down. If you would like to keep it private, you can send us a private support ticket from our main support portal: https://easydigitaldownloads.com/support

    Hi Pippin,
    I have since moved on from utilizing your plugin for any login activity. I may still give it a go for download management, but haven’t gotten that far. Sorry I couldn’t be of more help. I just don’t feel right about posting my system info here or anywhere for that matter. Personal choice.

    Hope your able to find a fix from what I did post, but if you are not able to recreate from that, then it most likely is something with my setup and since I am not using your plugin for that anymore, there is no problem here anymore.

    I can say that I have shortcode ultimate and that plugin has a login and registration that may have been conflicting, but don’t quote me on that. My thoughts are that you are not clearing the session variables after that page loads, maybe for refresh quality, not sure, but it’s holding on to those variable when the page loads again from the browser cache. I am using Safari 10.1.1 now and it is still doing it. Just fyi.

    Best,
    designdrumm

    Hey Pippin,
    Just wanted to give you an update. Looks like this problem is not localized to your plugin only. I have another plugin that is doing the same thing.

    So either there is something in my set-up doing this or Safari is storing the session page or WordPress is storing the session page. Well, that is my thoughts on it anyway. Haven’t had time to test yet.

    If I find a fix, I will post again.

    Best,
    designdrumm

Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘Problems with “User logged in” shortcode displaying content when not logged in’ is closed to new replies.