Users switching sessions

PedroJACorreia · December 17, 2024, 4:14pm

Hello! I have the latest version of the Frappe Framework with the Helpdesk and Wiki modules installed in a Ubuntu server in cloud. It is being used as an IT support application for our company, and we have SSO with Microsoft setup and working.

My problem is that, seemingly at random (as I cannot replicate it at will), an agent will switch logged users. This means that, upon loading up a Ticket or going back to the Ticket List or accessing any other page within Frappe, their session will be replaced by another one.

I cannot say that this ONLY happens between agents, but those are the confirmed cases so far.

Either way, this is a VERY PROBLEMATIC issue, as it’s not only rather annoying that every time it happens they have to log out of the other account and log back in with theirs, it also poses an enourmous secutiry risk, as people who shouldn’t have permissions can suddenly be in an account with said permissions.

I’ve seen a few other topics open about this problem but they are old and remain unanswered. Does anyone else have this issue, and does anyone know how to make it stop?

volkswagner · December 18, 2024, 12:05am

Are you sure all frappe users have a Microsoft 365 user license for MS Entra ID?

I agree this is a broken security model. What operating system and browser are
the clients using? Do they share computers? If they share computers do they
have unique user accounts. Do any of these users share a browser login to
sync bookmarks and cookies?

It would be interesting to browse to office.com and see which user account
is logged in (prior to logging out of the ghost account).

PedroJACorreia · January 2, 2025, 8:56am

Hi Volkswagner, thank you for checking this out
Yes, we are an education institution so all our users are licensed.
Clients are using both Windows and Mac, any kind of browser but mostly Chrome and Safari. Some of the recorded cases had users that shared a computer before, but others are with users from two distinct spaces that never shared a computer.

PedroJACorreia · January 9, 2025, 9:23am

A small update on this matter; it is now happening with clients, as well.
I think I’ve narrowed it down to how Vue is handling sessions. In order to apply filters based on the User accessing the NewTicket form, I’ve had to make a call to the getUser method from the useUserStore in “user.ts”, same with the Ticket list page on the Agent side.
Could this be the origin of this problem? I ask this because upon double checking the user.ts file, the api call there calls for all users in session, and the getUser function is supposed to take the email as a parameter, something I cannot give it in the form page as I have no info on the user themselves before I call it.

Is there an alternative way to get the current user inside the Vue files?
Thank you

PedroJACorreia · February 28, 2025, 3:51pm

Another update on this;
Changing the session lifespan on Frappe seems to have lessen the number of times this problem occurs, but not get rid of it. It went from happening every day multiple times, to happening once a week with a session time of 1h, to about once a month with session time of 30 mins. It still happens, though, and as such it is still a security problem
It seems there might be a relation, but as I still cannot replicate the problem, I’m still lost on what to do about this.

Any help would be deeply appreciated.

hirntot · January 21, 2026, 12:35pm

[solution:]

we had the same issue, investigated and found a bug in erpnext-code (assumably), as well as a workaround:

github.com/frappe/erpnext

Switching/Changing Users when using ErpNext [with Solution]

opened 09:16AM - 21 Jan 26 UTC

Joniras

bug

### Information about bug When users used the plattform, we found out that some…times the users just switched from User A to User B from time to time. it was very hard to pinpoint where the issue lied. i found those three issues that have the same problem: #47046 #50932 #35048 Those all have the same error and i am referencing them so people can find one (possible) solution for that here. I investigated the network traffic and found that the exact time the user switches is when the `https://erp.example.com/website_script.js` is called (har below). There the session-id from UserA is sent and the session-id from UserB is returned. # Problem My Nginx that is in front of ErpNext was configured to "Cache Assets". website_script is clearly an asset and the same for every user. **Setting Set-Cookie headers with session IDs and user information on static JS files is never acceptable.** # Solution I have two Solutions, one that you can do instantly to resolve the issue, one that erpnext has to fix to ensure that we can use caching properly ## Meantime Disable "Cache Assets" in Nginx Proxy Manager or just use (if not enabled per default) ```env proxy_ignore_headers Set-Cookie; proxy_hide_header Set-Cookie; ``` or use any other configuration method to disable caching ## Long-Term ErpNext should be altered to not send Cookies that are user-specific with static requests as this is not the standard and may not work with common proxies. ### Module other ### Version ```json { "frappe": "15.93.0", "erpnext": "15.93.1" } ``` ### Installation method docker ### Relevant log output / Stack trace / Full Error Message. ```shell { "startedDateTime": "2026-01-21T09:20:50.972+01:00", "request": { "bodySize": 0, "method": "GET", "url": "https://erp.example.com/website_script.js", "httpVersion": "HTTP/2", "headers": [ { "name": "Host", "value": "erp.example.com" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0" }, { "name": "Accept", "value": "*/*" }, { "name": "Accept-Language", "value": "en-US,de-AT;q=0.9,en;q=0.8" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Referer", "value": "https://erp.example.com/timesheets" }, { "name": "DNT", "value": "1" }, { "name": "Sec-GPC", "value": "1" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Cookie", "value": "tmp_id=3a0cc5da; sid=b0c4c0sdfsse95959a965c88de54653c0ede7c72d9c137b2; system_user=yes; full_name=User%20A; user_id=userA%40example.com; user_image=/files/IMAGE_USER_A.jpg" }, { "name": "Sec-Fetch-Dest", "value": "script" }, { "name": "Sec-Fetch-Mode", "value": "no-cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "Priority", "value": "u=1" }, { "name": "Pragma", "value": "no-cache" }, { "name": "Cache-Control", "value": "no-cache" }, { "name": "TE", "value": "trailers" } ], "cookies": [ { "name": "tmp_id", "value": "3a0cc5da" }, { "name": "sid", "value": "b0c4c066c87easdfeee95959a965c88de54653c0ede7c72d9c137b2" }, { "name": "system_user", "value": "yes" }, { "name": "full_name", "value": "User A" }, { "name": "user_id", "value": "userA@example.com" }, { "name": "user_image", "value": "/files/IMAGE_USER_A.jpg" } ], "queryString": [], "headersSize": 687 }, "response": { "status": 200, "statusText": "", "httpVersion": "HTTP/2", "headers": [ { "name": "server", "value": "openresty" }, { "name": "date", "value": "Wed, 21 Jan 2026 08:20:50 GMT" }, { "name": "content-type", "value": "text/javascript; charset=utf-8" }, { "name": "content-length", "value": "25" }, { "name": "x-page-name", "value": "website_script.js" }, { "name": "x-from-cache", "value": "False" }, { "name": "set-cookie", "value": "sid=4076359f3a2f26sdfss9f412b28c5df39d5e6002adfe2b898871c; Expires=Wed, 28 Jan 2026 10:18:14 GMT; Max-Age=612000; HttpOnly; Path=/; SameSite=Lax" }, { "name": "set-cookie", "value": "system_user=yes; Path=/; SameSite=Lax" }, { "name": "set-cookie", "value": "full_name=User%20B; Path=/; SameSite=Lax" }, { "name": "set-cookie", "value": "user_id=userB%40example.com; Path=/; SameSite=Lax" }, { "name": "set-cookie", "value": "user_image=/files/IMG_USER_B.jpg_compressed.JPEG; Path=/; SameSite=Lax" }, { "name": "x-frame-options", "value": "SAMEORIGIN" }, { "name": "strict-transport-security", "value": "max-age=63072000; includeSubDomains; preload" }, { "name": "x-content-type-options", "value": "nosniff" }, { "name": "x-xss-protection", "value": "1; mode=block" }, { "name": "referrer-policy", "value": "same-origin, strict-origin-when-cross-origin" }, { "name": "expires", "value": "Thu, 22 Jan 2026 00:30:00 GMT" }, { "name": "cache-control", "value": "max-age=58150" }, { "name": "x-served-by", "value": "erp.example.com" }, { "name": "X-Firefox-Spdy", "value": "h2" } ], "cookies": [ { "name": "sid", "value": "4076359f3a44ss0af189f412b28c5df39d5e6002adfe2b898871c" }, { "name": "system_user", "value": "yes" }, { "name": "full_name", "value": "User B" }, { "name": "user_id", "value": "userB@example.com" }, { "name": "user_image", "value": "/files/IMG_USER_B.jpg_compressed.JPEG" } ], "content": { "mimeType": "text/javascript; charset=utf-8", "size": 25, "text": "// website_script.js\n\n\n\n\n" }, "redirectURL": "", "headersSize": 934, "bodySize": 959 }, "cache": {}, "timings": { "blocked": 0, "dns": 0, "connect": 0, "ssl": 0, "send": 0, "wait": 73, "receive": 0 }, "time": 73, "_securityState": "secure", "serverIPAddress": "192.0.2.1", "connection": "443", "pageref": "page_1" } ```