We have a big security issue here. Several users are reporting that when they log out, and then return to the site, they are still logged in. I have verified it from several different browsers / computers.

Is this a known issue with vBulletin 4.2.1?

Thanks!

What is your site URL? What is your Cookie Domain? Have you tried clearing your cookies for the site?

Forum URL: ourdomain
Cookie domain: (blank)
Path to save cookies: /

Yes, I've asked them all to clear cookies and the problem persists

Do you have an .htaccess file in place - if so, what is in it? Does your host have any caching enabled on the server (if you aren't sure, please ask them about ANY caching including just using mod_expires or mod_headers)?

Hi Lynne,

Thanks so much for your quick help.

.htaccess file is empty. However I remember turning on this option in config.php because someone told me it would make my site faster:

$config['Datastore']['class'] = 'vB_Datastore_Filecache';

Could that be the culprit? I've also opened a case with my hosting company to ask about caching options

try to reupload file in ./includes/datastore/datastore_cache.php
I had same problem once few years ago.

Thanks mokujin! I have re-uploaded the file and also just commented out the line in our config file, since we don't really need the extra speed now that we are on a faster VPS

--------------- Added 1375457169 at 1375457169 ---------------

That did the trick, thank you both for all of the help!

Hi Lynne,

I spoke too soon, we're still having issues with this across multiple accounts. My host let us know that the following caching is enabled:

eAccelerator
mod_expires
mod_headers

Are these causing that issue?

mod_expires and mod_headers will cause this issue if they are not written correctly.

Thanks! Do you know how I can check this? Is it in the apache configuration? Is there a recommendation/standard that I could send along to my hosting company to write it as?

--------------- Added 1375738366 at 1375738366 ---------------

Would it be worth just disabling both for testing?

Remove all the lines and see if it works fine then. Then only add back lines for images and such.

I've removed expires, headers, and eAccelerator. Restarted Apache, asked users to clear cookie/cache - they're still having the issue. I even shared screens with them to verify, and it's definitely happening. They click logout, get the "Cookies have been cleared" message, and then go back to the site and are logged in

--------------- Added 1375754576 at 1375754576 ---------------

Here is my apache configuration:

Apache:
optmods:
Access: 1
Actions: 1
Alias: 1
Asis: 0
AuthAnon: 0
AuthDB: 0
AuthDBM: 0
AuthDigest: 0
AuthLDAP: 0
AuthnAlias: 0
AuthnAnon: 0
AuthnDBD: 0
AuthnDBM: 0
AuthnDefault: 0
AuthnzLDAP: 0
AuthzDBM: 0
AuthzHost: 1
AuthzOwner: 0
Autoindex: 1
Bucketeer: 0
Cache: 0
CaseFilter: 0
CaseFilterIn: 0
CernMeta: 0
CharsetLite: 0
DAVFs: 0
DAVLock: 0
DBD: 0
DIR: 1
Dav: 0
Deflate: 0
DiskCache: 0
Distcache: 0
Dumpio: 0
Echo: 0
Env: 0
Expires: 0
ExtFilter: 0
Fastcgi: 0
FileCache: 0
Fileprotect: 1
Frontpage: 0
Headers: 0
Ident: 0
Imagemap: 0
LDAP: 0
LogAgent: 0
LogConfig: 1
LogForensic: 0
LogReferer: 0
MPMEvent: 0
MPMLeader: 0
MPMPerchild: 0
MPMPrefork: 0
MPMThreadpool: 0
MPMWorker: 0
MemCache: 0
Mime: 1
MimeMagic: 0
MmapStatic: 0
Negotiation: 1
OptionalFnExport: 0
OptionalFnImport: 0
OptionalHookExport: 0
OptionalHookImport: 0
PHPAsUser: 1
Proxy: 1
RaiseFDSetsize: 0
RaiseHardServerLimit: 0
Rewrite: 0
Setenvif: 1
Speling: 0
Status: 1
SymlinkProtection: 0
UniqueId: 1
Userdir: 1
Usertrack: 0
Version: 0
VhostAlias: 0
Watchdog: 0
version: 2_2
Cpanel::Easy::EAccelerator: 0
Cpanel::Easy::IonCubeLoader: 1
Cpanel::Easy::ModBandwidth: 0
Cpanel::Easy::ModGzip: 0
Cpanel::Easy::ModJk: 0
Cpanel::Easy::ModJk5: 0
Cpanel::Easy::ModMono: 0
Cpanel::Easy::ModMono2: 0
Cpanel::Easy::ModPerl: 0
Cpanel::Easy::ModQos: 0
Cpanel::Easy::ModRuid2: 0
Cpanel::Easy::ModSec: 1
Cpanel::Easy::PHP4: 0
Cpanel::Easy::PHP4::4_4: 0
Cpanel::Easy::PHP4::4_5: 0
Cpanel::Easy::PHP4::4_6: 0
Cpanel::Easy::PHP4::4_7: 0
Cpanel::Easy::PHP4::4_8: 0
Cpanel::Easy::PHP4::4_9: 0
Cpanel::Easy::PHP4::Bcmath: 0
Cpanel::Easy::PHP4::Bz2: 0
Cpanel::Easy::PHP4::CGI: 0
Cpanel::Easy::PHP4::Calendar: 0
Cpanel::Easy::PHP4::Concurrent: 0
Cpanel::Easy::PHP4::Curl: 0
Cpanel::Easy::PHP4::CurlSSL: 0
Cpanel::Easy::PHP4::DBX: 0
Cpanel::Easy::PHP4::Dbase: 0
Cpanel::Easy::PHP4::DiscardPath: 0
Cpanel::Easy::PHP4::DomXslt: 0
Cpanel::Easy::PHP4::Exif: 0
Cpanel::Easy::PHP4::FTP: 0
Cpanel::Easy::PHP4::Fastcgi: 0
Cpanel::Easy::PHP4::ForceCGIRedirect: 0
Cpanel::Easy::PHP4::GD: 0
Cpanel::Easy::PHP4::Gettext: 0
Cpanel::Easy::PHP4::HardPHP: 0
Cpanel::Easy::PHP4::Iconv: 0
Cpanel::Easy::PHP4::Imap: 0
Cpanel::Easy::PHP4::Java: 0
Cpanel::Easy::PHP4::MM: 0
Cpanel::Easy::PHP4::MagicQuotes: 0
Cpanel::Easy::PHP4::MailHeaders: 0
Cpanel::Easy::PHP4::Mbregex: 1
Cpanel::Easy::PHP4::Mbstring: 0
Cpanel::Easy::PHP4::Mcrypt: 0
Cpanel::Easy::PHP4::MemoryLimit: 0
Cpanel::Easy::PHP4::Mhash: 0
Cpanel::Easy::PHP4::MimeMagic: 0
Cpanel::Easy::PHP4::Ming: 0
Cpanel::Easy::PHP4::MysqlOfSystem: 0
Cpanel::Easy::PHP4::Openssl: 0
Cpanel::Easy::PHP4::PDFLib: 0
Cpanel::Easy::PHP4::POSIX: 1
Cpanel::Easy::PHP4::PathInfoCheck: 1
Cpanel::Easy::PHP4::Pear: 1
Cpanel::Easy::PHP4::Pgsql: 0
Cpanel::Easy::PHP4::Pspell: 0
Cpanel::Easy::PHP4::SNMP: 0
Cpanel::Easy::PHP4::SafeMode: 0
Cpanel::Easy::PHP4::SafePHPCGI: 0
Cpanel::Easy::PHP4::Sockets: 0
Cpanel::Easy::PHP4::Swf: 0
Cpanel::Easy::PHP4::TTF: 0
Cpanel::Easy::PHP4::Versioning: 0
Cpanel::Easy::PHP4::Wddx: 0
Cpanel::Easy::PHP4::XmlRPC: 0
Cpanel::Easy::PHP4::XsltSablot: 0
Cpanel::Easy::PHP4::ZendMultibyte: 0
Cpanel::Easy::PHP4::Zip: 0
Cpanel::Easy::PHP4::Zlib: 0
Cpanel::Easy::PHP5: 1
Cpanel::Easy::PHP5::2_17: 0
Cpanel::Easy::PHP5::2_9: 0
Cpanel::Easy::PHP5::3_26: 0
Cpanel::Easy::PHP5::3_27: 1
Cpanel::Easy::PHP5::4_17: 0
Cpanel::Easy::PHP5::5_1: 0
Cpanel::Easy::PHP5::Bcmath: 1
Cpanel::Easy::PHP5::Bz2: 0
Cpanel::Easy::PHP5::CGI: 0
Cpanel::Easy::PHP5::Calendar: 1
Cpanel::Easy::PHP5::Concurrent: 0
Cpanel::Easy::PHP5::Curl: 0
Cpanel::Easy::PHP5::CurlSSL: 1
Cpanel::Easy::PHP5::Curlwrappers: 0
Cpanel::Easy::PHP5::DBX: 0
Cpanel::Easy::PHP5::Dbase: 0
Cpanel::Easy::PHP5::DiscardPath: 0
Cpanel::Easy::PHP5::Enchant: 0
Cpanel::Easy::PHP5::Exif: 0
Cpanel::Easy::PHP5::Expat: 0
Cpanel::Easy::PHP5::FTP: 1
Cpanel::Easy::PHP5::Fastcgi: 0
Cpanel::Easy::PHP5::FileInfo: 0
Cpanel::Easy::PHP5::ForceCGIRedirect: 0
Cpanel::Easy::PHP5::GD: 1
Cpanel::Easy::PHP5::Gettext: 1
Cpanel::Easy::PHP5::HardPHP: 0
Cpanel::Easy::PHP5::Iconv: 0
Cpanel::Easy::PHP5::Imap: 1
Cpanel::Easy::PHP5::Intl: 0
Cpanel::Easy::PHP5::Java: 0
Cpanel::Easy::PHP5::MM: 0
Cpanel::Easy::PHP5::MagicQuotes: 0
Cpanel::Easy::PHP5::MailHeaders: 1
Cpanel::Easy::PHP5::Mbregex: 0
Cpanel::Easy::PHP5::Mbstring: 1
Cpanel::Easy::PHP5::Mcrypt: 1
Cpanel::Easy::PHP5::MemoryLimit: 0
Cpanel::Easy::PHP5::Mhash: 0
Cpanel::Easy::PHP5::MimeMagic: 0
Cpanel::Easy::PHP5::Ming: 0
Cpanel::Easy::PHP5::Mysql: 1
Cpanel::Easy::PHP5::MysqlOfSystem: 1
Cpanel::Easy::PHP5::Mysqli: 1
Cpanel::Easy::PHP5::Openssl: 1
Cpanel::Easy::PHP5::PDFLib: 0
Cpanel::Easy::PHP5::PDO: 0
Cpanel::Easy::PHP5::PDOMySQL: 0
Cpanel::Easy::PHP5::POSIX: 0
Cpanel::Easy::PHP5::PathInfoCheck: 0
Cpanel::Easy::PHP5::Pear: 0
Cpanel::Easy::PHP5::Pgsql: 0
Cpanel::Easy::PHP5::Phar: 1
Cpanel::Easy::PHP5::Pspell: 0
Cpanel::Easy::PHP5::SNMP: 0
Cpanel::Easy::PHP5::SOAP: 0
Cpanel::Easy::PHP5::SQLite3: 1
Cpanel::Easy::PHP5::SafeMode: 0
Cpanel::Easy::PHP5::SafePHPCGI: 0
Cpanel::Easy::PHP5::SilenceDeprecatedPatch: 1
Cpanel::Easy::PHP5::Sockets: 1
Cpanel::Easy::PHP5::Swf: 0
Cpanel::Easy::PHP5::SysTimezone: 1
Cpanel::Easy::PHP5::TTF: 1
Cpanel::Easy::PHP5::Tidy: 0
Cpanel::Easy::PHP5::Versioning: 0
Cpanel::Easy::PHP5::Wddx: 0
Cpanel::Easy::PHP5::WithoutIconv: 0
Cpanel::Easy::PHP5::XSL: 0
Cpanel::Easy::PHP5::XmlRPC: 0
Cpanel::Easy::PHP5::XsltSablot: 0
Cpanel::Easy::PHP5::ZendMultibyte: 0
Cpanel::Easy::PHP5::Zip: 1
Cpanel::Easy::PHP5::Zlib: 1
Cpanel::Easy::PHP5::cPPHPOpts: 0
Cpanel::Easy::PHPSuHosin: 0
Cpanel::Easy::SourceGuardian: 0
Cpanel::Easy::Tomcat::7_0: 0
Cpanel::Easy::Xcache: 0
Cpanel::Easy::Zendopt: 0
_meta:
implies:
changed: {}

circles: {}

name: PHP Encryption and Image Manipulation (1)
note: Basic and adds mcrypt, GD and FreeType to PHP along with the Basic configuration options.

I would suggest posting in the Server Configuration forum over on vbulletin.com for help setting up your server correctly so the caching is disabled for the php pages on your site.

Hi Lynne, thank you! They let me know that the issue is allowing both www and non-www access (instead of picking just one), so the cookies remained on one, even if logged out on the other.

Problem is officially resolved

Really appreciate all of your help!!