melsen wrote:

Hi Nick,

Thats a very generous offer.. thank you so much for taking ownership...

I'm at work right now... I'll PM you later tonight once I'm home.

Thanks again.. I really appreciate it.

Btw.. try and drop by www.livingpixels.org right now..

I just fired up my internet explorer and went there, and it said 'Hi Aaron Guy'... except... thats just not me.

Do you get the same?

I got it before but not now!

melsen wrote:

Dear Beat,

The below is a modified post of what I just wrote to ircmaxwell.... But I suppose this is just as relevant to you.

When you read this post, please keep in mind that english isnt my first language, and there might be some language barriers with regards to me phrasing myself properly.

With that in mind - remember that none of the below is meant to sound offensive, but more as a 'cry for help' so to speak...

I've jumped back and forth between 3 CMS systems... Xoops, Drupal and Joomla.. and I always end up liking Joomla the best... HUGE range of posibilities with all the modules out there. Community Builder is one of them

The problem for me and many others are - we are being thrown back and forth between the best of breed.. the best of Joomla - (according to some)
Joomla as an awesome CMS system, and CB as an awesome product for a community related site.

Being thrown back because neither part in my opinion seems to want to take ownership in locating the actual error - and yes... I know that these are open source products and that many developers get nothing for doing this... but that just doesn't help me and others with this error.

At the Joomla site, we keep getting told that everything should be disabled and then attempted to be reproduced... the matter of the fact is - that even though that error cant be reproduced doesn't mean that the error isn't infact caused by Joomla itself and not CB or the other way around. As an example.. an application written FOR windows can fail BECAUSE of windows, and not because of code written in the actual application source-code... so what this bouncing back and forth between you guys at Joomlapolis and Joomla core team to me just seem as a way to avoid the error.. but seeing that I need CB - that isnt really an option to remove CB and by that avoiding the error.

As I see it.. it IS the cache being the problem because of the way it can temporarily be resolved.. whether CB accesses the cache module in Joomla in a way that provokes the error in a way the regular login module wouldn't.. thats something I can't answer.. but that is the precise reason why both development teams keep bouncing this issue back and forth.. because that gives each a posibility - in my opinion - to point fingers at eachothers.

So what is then left for us as users of Joomla as CB to do? We can't do anything really, because developers on both side doesn't take ownership in locating the bug and getting it fixed - and that to me is very sad... I've got no clue what to do.

I can set up Joomla.. I can set up CB.. but I'm not a developer and I can't troubleshoot the error... I do however have a live site that has this problem, and I do have users that periodically experience these errors, and uninstalling CB is just something that on a live site is very very difficult to do counting the huge impact it would have.

If this post have aggrevated you.. then let me apologize in advance... this was not the intention more merely an attempt to express my frustration.. please take a few minutes then to take a deep breath before replying and try to put yourself in my shoes.. and in the shoes of all other people who use these products..

Thanks for reading...

Hi Melsen,

Please find my reply to your similar post on Joomla forum quoted as is below:

No offense taken, no worries

CB team is subscribed to this topic since some time, and is following it closely and participating in it, as obviously this bug (wherever it is) affects both CB users and Joomla users, and in addition is a security (privacy) bug. I also see that Joomla team is also subscribed and has also spent days on that issue, that we all agree is serious concern.

That been said, it can be joomla, it could be a third-party extensions, and it cannot yet be totally excluded that it is in CB (although the probability is really small), or in a combination of all of those only.

Fact is that it becomes visible on sites with lots of users and users-data, and most of those joomla sites have CB installed.

I don't want to rule-out CB completely, but fact is that:

1) CB doesn't install any plugin/mambot which would influence the way Joomla works

2) that bug appears only in Joomla 1.5.x incl. 1.5.8, and doesn't appear on Joomla 1.0 or Mambo 4.5 and 4.6 installations, where CB runs too

3) that we spent days looking at CB core code and trying to reproduce without success (and Anthony did same in Joomla core code)

4) it depends of joomla page-caching, and CB doesn't interact at all with that part of Joomla.

5) CB doesn't handle Joomla login-sessions, but relies on Joomla's framework to login/logout users and for users-sessions management.

So the overall probability of CB messing up Joomla sessions is very very small. Nothing can be excluded until bug is loceted and smashed, but probability of it being in CB is really low. E.g. way smaller than any plugin/mambot, such as SEF or third-party ones.

It all looks like that the Joomla page-caching serves from time to time pages which don't belong to that user, maybe thinking that they are not user-sensitive ?

I didn't spend yet the few days needed to do a security-audit of that part of Joomla 1.5, having my hands full of work on CB itself, and knowing that Anthony did it.

I will be seeing Wilco this Saturday in Lucerne at the JoomlaDay Switzerland, and I will discuss with him how to best address this issue.

Nick's suggestion to publish temporarly both login modules with the greeting messages (trying both orders, first joomla then CB, and the other way around) is a sound suggestion which could help us trying to narrow down the problem.

Another suggestion, if you can reliably reproduce the problem, would be while reproducing it, to unpublish temporarly each plugin to see if it's affecting this.

Also maybe it would be usefull to make a clone of your live site on your server when it's in a state where it mixes the users, so that we can take a debugging look ?

If you wish, you can also PM me an admin access to the site to take a look (will be quicker than listing all details of installed stuff).

We are not just bouncing the problem to here, but this is the main thread discussing this issue, so it's better to keep all indices at the same place, and discussion in a central place

Hope too that nobody feels offended too, as we all would like this one to be solved.

We are taking this issue very seriously, spent already quite some time on it, and will continue spending time (within our possibilities) until it's found, wherever that nasty bug is.

Thanks Allan,

Took a quick look and saw another post on Joomla forum from someone who has problem on a joomla site without CB.

Here the post :

phil_roy says:

Hi guys,

I have 2 Joomla 1.5.7 sites...one that launched as a J1.5 site a few months back and exhibits this issue.....and is CB free completely. I then migrated my second site also recently and it too exhibits the issue. It does have CB.

The sites are on the same server. I don't think CB is the issue given that I don't have that on one site. I do have sh404SEF on both, which I think has been mentioned elsewhere.

Currently caching is disabled (and has been for some time) on both sites to stop the issue occurring.

Hope that helps.

Phil

My reply on joomla forum :

Yes, that helps lots , thanks, means bug is not in CB... 8)

That leaves us with Joomla and sh404sef as "usual suspects".

Took a quick look into admin area of melson's site ( www.livingpixels.org where Nick saw himself as logged-in as another the first time he looked at the site ).

That rules sh404sef out too as suspect...

Leaves us with Joomla 1.5.8 and ???

Nelson's site has JCE, JoomlaPack and UddeIM installed and enabled as other non-core components.

As non-core system plugins there is nothing non-core even installed. There are a few content plugins (there is "Clarity Fireboard discussbot", but fireboard is disabled, that's only thing i saw), and JCE editor.

UddeIM is really unobtrusive, JoomlaPack is quiet when not used, so I don't think that there is anything special there which could form a new suspect...

We now had 2 reports that sites on same server have same behavior (one of them with php4 and php5), so it could be dependant on server sessions settings, e.g. for joomla sessions ?

---

I will continue to monitor that thread closely, but really hope that joomla core team will now take ownership of this serious security problem... I've added it to my tasks list to go and do a security audit of that joomla part, but my time this week is to short for that.