The first time it happened, I thought I was crazy and chalked it up to a glitch (i.e. “maybe it’s just showing some weird database ID for me as a user or similar”). But this time, it was pretty clearly another user’s account. The username was SLVRDRGN or something similar, had a completely different profile picture, etc…but when I went to click on the profile section to see if I had access to the account, the browser refreshed and populated with my account info.
Seems a little concerning potentially, so just thought someone should know. I will try to be faster with a screenshot if it happens again.
we’re still unsure what might be causing this, but we’ll be updating to 0.19.9 soon. maybe that’ll fix this issue.
we’re not running any modifications that would impact caching and we don’t have any custom caching logic. we’re only caching what lemmy/lemmy-ui return as cacheable, which suggests that the issue is likely in one of those services, however, i couldn’t find it in either one.
it’s also rare enough that it’s extremely difficult to troubleshoot, as we see people report this maybe once or twice every few months but without any useful information that would allow us to look into this further than trying to find bugs in related code just from the general symptom of seemingly invalid cache.
additionally, the impact of this should be fairly low, as, unless this somehow impacts private messages as well, no data would be returned that isn’t already otherwise public. with this seemingly “just” being a caching issue, there is also no risk at impersonating other users.
nonetheless i agree that this should not be happening in the first place, even if it’s rare and the impact appears limited.
There’s a reason recommendations nowadays are to use other instances than LW. Being the largest instance brings some unique situations.
Sounds like a caching issue. If you were logged in as them, profile would work. Feels like it’s caching personalised sections, which it should not.
I already followed various code paths to try and see where Lemmy might be setting incorrect caching headers without finding anything and nothing in the relevant code seems to have been changed between 0.19.3 and newer 0.19 releases.
I’m still unsure if we’re just seeing it more frequently due to a larger number of users and us also having a “proper” caching setup and in practice it would happen on other instances as well or whether it’s somehow something that others just don’t see due to not being on 0.19.3.
Hmm… I don’t know what would be causing this particular issue on the Cloudflare side, but the fact that lemmy.world shows @[email protected] instead of usernames when viewed with JS disabled suggests that you should review your Cloudflare configuration… At a minimum you have their email filter enabled when it shouldn’t be; there could be other issues too.
why shouldn’t the email filter be enabled?
I have to admit that it doesn’t do much for us, as the support emails we have in sidebars and posts are unfortunately federated to other instances where they’re not getting obfuscated and will be crawled there, but we do have contact emails on the website. I’m currently not aware of any issues caused by that.
glad to at least have confirmation that this isn’t just us, thanks!
do you remember whether this has still been happening while lemm.ee was on lemmy 0.19.5 or 0.19.8?
That’s a recurring bug on LW for some reason
