Admin logged in session visible to EVERY VISITOR

  • Resolved jdareynolds

    (@jdareynolds)


    1 year, 4 months ago

    My client contacted me to state that every page on the website showed the WordPress admin bar with my (admin) loggin activated. They noticed it in their office (different network, different city alltogether) and reported that 1 of their visitors was served the same WordPress bar with admin being logged in. They were also able to access the backend without being logged in themselves and operate as an admin!

    I immediately changed my password and hit “log out everywhere”, without the expected effect because they could still access the admin area after multiple refreshes in multiple browsers (safari, chrome, edge). The most unsetteling aspect of this all was that I could not reproduce their experience, since it involves my own logged in session.

    The solution for now, was to clear cache and tick off the “serve cahed pages to logged in users”. Eventhough the real issue is that it should have never been possible to have login credentials included in cached pages, am I right?

    This may never happen in the future, especially for privacy and security reasons and needs to be addressed. How can I prevent this from ever happening again.

Viewing 1 replies (of 1 total)
  • Plugin Support vupdraft

    (@vupdraft)

    HI,

    It sounds like you have the option to serve cache to logged in users checked in Cache >> page cache >> cache settings.

    Uncheck this and run another preload.

Viewing 1 replies (of 1 total)
  • The topic ‘Admin logged in session visible to EVERY VISITOR’ is closed to new replies.