We have a peculiar situation happening over a period of few weeks, wherein, Session of any logged in user, is being automatically changed to another user, due to which, all business activity in the application, are happening with the other user, for the subject (whose session is changed / automatically hijacked).
Note: The Session is being "Changed To", Session of Users who had enabled Permanent Cookie using "Remember Me" checkbox, as per our initial observations. Most of the time, this random session override is happening automatically to a single user account, for all users (whose session is being overridden)
We are using Yii 2.0 for all our applications and this problem is imminent and the root cause is still not established, for sure.
We are using CPanel/WHM managed linux servers to host our web application.
About Session Storage:
By default, we are using file based session storage, and the sessions are stored in /tmp folder (that is outside public_html, i.e., /home/cpanel_username/tmp).
With the recent CPanel / WHM update, we had enabled session storage for all websites, in CPanel’s internal session storage path.
Since this current problem is persisting in both scenarios, we had moved sessions to, our custom chosen Session Save path (i.e., /home/cpanelusername/sessions).
Still the problem persisted…
About Cache as Session Store:
Currently, we are not using any in-memory cache (memcache / redis etc), to store sessions
About Yii based User Identity implementation:
We are using Dektrium Yii2 User Extension, to handle User management.
About User Data Storage:
We are using MySQL database to store user information
About Load Balancer usage and Multiple Server scenario:
Currently, this is based on a single virtual server, wherein, both web server and database server exists. We are Apache as HTTP Server and MySQL as Database Server and using Nginx as reverse proxy in this setup.
Finally, I would like to add that, we had enabled HTTPS before few months.
