Using Discourse 2.5.0 with Apache, Passenger, Redis and PostgreSQL. One thing to note that we’ve implemented SSO for our site using Discourse’s SSO options.
Now I’ve tried various server configurations, reviewed our SSO code for bugs etc but to no avail.
The only clue I have come across is in “user_auth_token_logs” where I see an auth token mixup. I’m just mentioning one of the session mixup cases below.
Last login date: 2020/11/12
IP Address: 18.104.22.168
Last login date: 2020/11/16
IP Address: 22.214.171.124
User session duration: 1440 hours
The first user reported on 2020/11/17 that when he re-opened the site, he was automatically logged in as the second user. I checked our SSO logs and there wasn’t any SSO activity from these two users on 2020/11/17. I then checked the auth logs. I see the first user’s IP and user agent in second user’s token record and action is “rotate” in that record. There are several other similar cases with the same auth log pattern. Here is a screenshot of it.
I'm not permitted to upload csv here else i would have attached the auth logs of the two users.
This is a serious issue for us. It is causing concern among our site’s users so any help on this would be greatly appreciated.