Hello! I have the latest version of the Frappe Framework with the Helpdesk and Wiki modules installed in a Ubuntu server in cloud. It is being used as an IT support application for our company, and we have SSO with Microsoft setup and working.
My problem is that, seemingly at random (as I cannot replicate it at will), an agent will switch logged users. This means that, upon loading up a Ticket or going back to the Ticket List or accessing any other page within Frappe, their session will be replaced by another one.
I cannot say that this ONLY happens between agents, but those are the confirmed cases so far.
Either way, this is a VERY PROBLEMATIC issue, as it’s not only rather annoying that every time it happens they have to log out of the other account and log back in with theirs, it also poses an enourmous secutiry risk, as people who shouldn’t have permissions can suddenly be in an account with said permissions.
I’ve seen a few other topics open about this problem but they are old and remain unanswered. Does anyone else have this issue, and does anyone know how to make it stop?
1 Like
Are you sure all frappe users have a Microsoft 365 user license for MS Entra ID?
I agree this is a broken security model. What operating system and browser are
the clients using? Do they share computers? If they share computers do they
have unique user accounts. Do any of these users share a browser login to
sync bookmarks and cookies?
It would be interesting to browse to office.com and see which user account
is logged in (prior to logging out of the ghost account).
2 Likes
Hi Volkswagner, thank you for checking this out 
Yes, we are an education institution so all our users are licensed.
Clients are using both Windows and Mac, any kind of browser but mostly Chrome and Safari. Some of the recorded cases had users that shared a computer before, but others are with users from two distinct spaces that never shared a computer.
A small update on this matter; it is now happening with clients, as well.
I think I’ve narrowed it down to how Vue is handling sessions. In order to apply filters based on the User accessing the NewTicket form, I’ve had to make a call to the getUser method from the useUserStore in “user.ts”, same with the Ticket list page on the Agent side.
Could this be the origin of this problem? I ask this because upon double checking the user.ts file, the api call there calls for all users in session, and the getUser function is supposed to take the email as a parameter, something I cannot give it in the form page as I have no info on the user themselves before I call it.
Is there an alternative way to get the current user inside the Vue files?
Thank you