Users Seeing Profile info of OTHER Users - Even admin!

deadparrotsoftware · 1 April 2023 17:29

We have S2member Pro. Before we upgraded we found a big security.
We use a custom Members Profile page and Special Redirection URL
We do NOT use any local cache plugin - we have CloudFlare CDN for that.
WP 6.2, Maria 10.x DB, Wordfence security (test it - not the problem)
We ARE using the CloudFlare plugin and APO is ON

When users login, instead of seeing THEIR profile info (like name and email)
they are seeing Info of OTHER MEMBERS - SOMETIMES EVEN ADMIN - of other members either currently logged in or recently left. They don’t always logout.

This is a severe security issue, but we can not find the source.

Anyone have an idea? We planned on installing S2 on 37 other sites, but not with a security hole.

Sid
VP

Cralamarre · 1 April 2023 13:22

Have you tried bypassing Cloudflare caching? Seems like it’s an issue unrelated to s2Member otherwise it would be widely reported. I know Cloudflare’s Cache Everything rule can’t distinguish between logged in and logged out users.

deadparrotsoftware · 1 April 2023 14:31

YES - if we purge the cache OR use Development mode - which bypasses CF and edge cache - THE PROBLEM DOESN’T EXIST.

Cralamarre · 1 April 2023 14:49

So the problem is with your Cloudflare settings. Do you have Cache Everything enabled? If so, you definitely want it disabled.

I use Cloudflare as well but s2Member is working fine. Cache Everything is disabled.

deadparrotsoftware · 1 April 2023 14:52

always online (idiotic Archive.org thing) is disabled
Caching level is standard
It is a Pro account but I don’t see a “cache everything” setting?

Cralamarre · 1 April 2023 15:13

I have a Pro account as well.

Cache Everything is off by default. It’s under Rules > Page Rules > Create Page Rule > Cache Level. But if you have not created the rule, it’s probably off.

I think I’m using mostly default settings in Cloudflare. Caching Level is Standard. But there must be something in the Cloudflare options that you need to change or disable. You can always bypass the caching until you figure it out.

Cralamarre · 1 April 2023 15:43

Just had a thought… Are you using the Cloudflare plugin for Wordpress? If so, I believe it turns Cache Everything on if you choose the Optimize Settings option (I think that’s what it’s called).

deadparrotsoftware · 1 April 2023 16:48

You mean APO - Automatic Platform Optimization?

Cralamarre · 1 April 2023 17:41

Yes I think that’s it. Turn it off.

Cralamarre · 1 April 2023 23:36

Sorry, I just re-read your original post and noticed it says you are using the Cloudflare plugin with APO turned on. That would cause your problem.

bopters · 2 April 2023 06:30

APO shouldn’t cause that as I’ve used API w/ s2 in the past and s2 is really good at setting don’t cache headers that APO and most caching plugins understand. Is your host running another cache or are you running any other caching plugins or web server modules?

bopters · 2 April 2023 06:58

I just thought of this while responding to another post here.

Does your host use Redis or Memcached object caching?

s2 doesn’t get along with that so try disabling it.

deadparrotsoftware · 2 April 2023 11:31

NO other cache’s are running. Since turning off APO, we have as yet had no cross account errors, no one seeing the pages of other users

Cralamarre · 2 April 2023 12:57

That’s because APO turns on Cache Everything which will cause the problem you experienced. Cache Everything can’t be used with a membership site.

bopters · 3 April 2023 03:40

That’s so odd bc I never experienced that with APO.

APO is supposed to respect don’t cache headers like WP Rocket, Comet Cache, or any other caching plugins.

Not running it anymore, though, bc my users are local and openlitespeed by itself is faster than APO.

deadparrotsoftware · 3 April 2023 20:02

Actually, at one time we used comet cache - till it started colliding with APO!

We also had a page rule in place that set Cache Level to standard for anything going to/from the domain. APO was apparently overriding that rule and truly caching every ■■■■ thing. Standard level is supposed to deliver a different resource each time the query string changes - and I ASSUME s2member uses a query string to match the user level with the proper page so should not be loading from the cache.

I don’t know the answer to that

Cralamarre · 3 April 2023 21:49

The problem with APO is that it enables Cache Everything. And Cache Everything literally caches everything on the page as static html, including any member-specific content and even the member’s profile. If it’s on the page, it gets cached as part of the html.

So whichever logged in member is the first to visit a page after the previous cache was cleared becomes the lucky member who’s profile is cached with the html and displayed to everyone who visits the page after them. If an admin is the first to visit a page, the admin’s profile is cached with the page.

Since these static html pages are served by Cloudflare, your origin server is kept out of the loop. Cloudflare has no idea who’s who, so it serves the same static html page, which may include a member’s or admin’s profile, to everyone who visits.

Hopefully that makes sense.

deadparrotsoftware · 3 April 2023 22:19

Yes it does, thanks. That is how I know APO is doing as you say and ignoring cache config AND page rules - IF it were honoring the ‘standard’ setting it would ignore the cache page and load a ‘fresh’ page every time the query string changes - as it should for a new user.

bopters · 20 April 2023 07:07

Just want to jump in again and say that this wasn’t my experience with APO. It bypassed cache for logged-in users just like any other WP cache plugin would. I’m curious as to what the differences in our sites could be.