Invalid automatic login

technote · April 20, 2013

A portion of a website I access is controlled by a username & PW. Recently I found myself automatically logged in under a username that was not mine. I am concerned this is a security risk, however am uncertain what steps to take to resolve. Rebooting did not resolve the problem.

AitchB · April 20, 2013

Difficult to answer not knowing what type of website it is. Made by you with Dreamweaver, a Joomla 1.5, 2.5 or 3.0, Wordpress etc.?

I know that Joomla 1.5 websites, because they have stopped supporting them, have been vunerable to being hacked. Check with FTP to see if there is a "Hacked.php" file in the root. That is the hacker saying how clever he is! Don't bother to delete it rather change it to ....old and upload another harmless and uselss file called hacked.php. That does not really help but says to the hacker, "Hi!" :-)

A bit more information and perhaps someone will help more. I'm no expert but my J 1.5 website was hacked and they added several users.

Simon H · April 22, 2013

It certainly could be a hacked website but in my experience, when people have this problem it's always been caused by someone else using the same computer to log into a website and clicking the option to “remember me” or “automatically log me in”.

This stores a cookie in the browser which means each time the website is visited from that computer using the same browser their account will be automatically logged in.

It’s a security risk for the other person because anyone else using the computer has access to their account. The risk to you is that you may inadvertently enter some of your personal data onto their account which they could then view next time they access it.

Rebooting the computer wont stop this.

There should be an option to log the person off from the website, this will stop them being logged in next time you or they visit the website.

This will not stop them from clicking "remember me" in future so you can also set the browser to delete all cookies on exit. This means that if they do the same thing again it won’t matter because the information will be automatically deleted when the browser is closed.

If you are aware of someone else using your computer it would be a good idea to set up a separate user account for them. If you are unaware then I would change my password to something stronger.

If it’s a shared computer such as at work then log the other person off and make them aware of what they are doing if you can find out who it is.

Steve Krause · April 26, 2013

It's not impossible for the website to actually have a BUG where you are given the same security token or cookie of a previous user. I've actually seen this happen on a few websites and it obviously caused a lot of privacy issues.

What I would do (in this order) is.

Scan your PC with a quality Anti-Virus/Malware Tools
Clear all your cookies and delete all history
Email the website letting them know what happened. If it's a bug, they probably are getting emails from other users also so the more data they can get the better
Keep reading groovyPost.com for more tips and tricks on security and privacy!

Here's a good link to blow away browser cache and cookies etc....

http://www.groovypost.com/news/ccleaner-updated-support-windows-8-opera/

Really can't beat CCLeaner... it's free also.

technote · April 27, 2013

It's not impossible for the website to actually have a BUG where you are given the same security token or cookie of a previous user. I've actually seen this happen on a few websites and it obviously caused a lot of privacy issues.

What I would do (in this order) is.

Scan your PC with a quality Anti-Virus/Malware Tools

Clear all your cookies and delete all history

Email the website letting them know what happened. If it's a bug, they probably are getting emails from other users also so the more data they can get the better

Keep reading groovyPost.com for more tips and tricks on security and privacy!

Here's a good link to blow away browser cache and cookies etc....

http://www.groovypost.com/news/ccleaner-updated-support-windows-8-opera/

Really can't beat CCLeaner... it's free also.

thanks Steve. I ran a quick-scan; I think that cleared the cookies. my virus software does regular scans. I e-mailed the website & the response was that it was a cache problem they were aware of.

technote · April 27, 2013

Difficult to answer not knowing what type of website it is. Made by you with Dreamweaver, a Joomla 1.5, 2.5 or 3.0, Wordpress etc.?

I know that Joomla 1.5 websites, because they have stopped supporting them, have been vunerable to being hacked. Check with FTP to see if there is a "Hacked.php" file in the root. That is the hacker saying how clever he is! Don't bother to delete it rather change it to ....old and upload another harmless and uselss file called hacked.php. That does not really help but says to the hacker, "Hi!"

A bit more information and perhaps someone will help more. I'm no expert but my J 1.5 website was hacked and they added several users.

outside website, not one I created.

technote · April 27, 2013

It certainly could be a hacked website but in my experience, when people have this problem it's always been caused by someone else using the same computer to log into a website and clicking the option to “remember me” or “automatically log me in”.

This stores a cookie in the browser which means each time the website is visited from that computer using the same browser their account will be automatically logged in.

It’s a security risk for the other person because anyone else using the computer has access to their account. The risk to you is that you may inadvertently enter some of your personal data onto their account which they could then view next time they access it.

Rebooting the computer wont stop this.

There should be an option to log the person off from the website, this will stop them being logged in next time you or they visit the website.

This will not stop them from clicking "remember me" in future so you can also set the browser to delete all cookies on exit. This means that if they do the same thing again it won’t matter because the information will be automatically deleted when the browser is closed.

If you are aware of someone else using your computer it would be a good idea to set up a separate user account for them. If you are unaware then I would change my password to something stronger.

If it’s a shared computer such as at work then log the other person off and make them aware of what they are doing if you can find out who it is.

personal computer not used by any other individuals. The user ID/pw is paid access to additional information on the website; i.e., listening to or watching audio or video files.

AitchB · April 27, 2013

Can we have the URL address of the website?

Your ID and PW are not needed :-)

Sign In

Invalid automatic login

Recommended Posts

technote

Link to comment

Share on other sites

AitchB

Link to comment

Share on other sites

Simon H

Link to comment

Share on other sites

Steve Krause

Link to comment

Share on other sites

technote

Link to comment

Share on other sites

technote

Link to comment

Share on other sites

technote

Link to comment

Share on other sites

AitchB

Link to comment

Share on other sites

Join the conversation

Similar Content

Facebook question: how to get rid of tags?

Office Excel 2011 - Protect worksheet or workbook

Does an iPad leave tracking info on emails?

How to Encrypt or Password Protect a CD?

Need to recover a Office Word 2010 Password

Who's Online 0 Members, 0 Anonymous, 12 Guests (See full list)

Forums

Activity