Nodebb: Account takeover by doing nothing

I don't have any idea what happened here either, but probably for other reasons:

1. Why is this issue titled Account takeover? Was there any account takeover here? Why would someone take your account on a demo site (even for testing, admin user is a better target there)?
2. I assume from the screenshot you didn't get Indian translation, or did you get it and changed it back to english?
3. Were you trying to mask this IP address in the screenshot? If so, then if you succeeded it would be useless, as from what I understood by NodeBB recognized me as citizen of India. you meant that IP was geolocated to india. If you didn't mean to hide it, then why would you black it out like this?
4. This is the only session you have there, right? So it must be your current session. That way I don't see how this would be account takeover (going back to 1.)
5. I assume you weren't using a VPN or any proxy server?

Blacked out ip is readable as well

1 ) Logged-in to some other user account, showing some other user computer and some other browser.
2 ) Language is recognized for guests and not logged-in users.
3 ) Blacked by me and not so hard to check it manually.
4 ) Do you believe in bilocation?
5 ) Such servers do not keep sessions. And I'm not using them.

After scheduled database reload. Categories are gone.

1 ) Logged-in to some other user account, showing some other user computer and some other browser.

Ah, so your issue is that you were logged in as some other user. I actually didn't understand that from the description and screenshot and though that it was your test account and the session showing you wrong IP was the issue.

2 ) Language is recognized for guests and not logged-in users.

Yeah, I kinda forgot about that :V

3 ) Blacked by me and not so hard to check it manually.

Yes, that's what I meant by "if you succeeded" - it's still readable, but requires some effort to read, so I wasn't sure if it was a failed attempt at censoring it or what.

4 ) Do you believe in bilocation?

What I meant here is that this bug had to have happened on your current session at that time, since it was the only one. NodeBB can keep multiple sessions and even without having remember me turned on it will create one, so if there is just one it means it must be the one you're using right now.
Therefore the bug couldn't be someone taking over your account - since you are the only person using that account and your browser is the only browser that has a session there.

Only now I understand that the the issue was being logged in to an account that's not yours and the session wasn't yours either.

5 ) Such servers do not keep sessions. And I'm not using them.

But browsers do :) When you're using a VPN/Proxy you will still be able to create and save sessions - usually they are kept in the browser as cookies (sometimes the cookie will have just the session ID that the website can use to get session data, sometimes the cookie will be serialized session data by itself, if it's not sensitive). So going through a proxy/vpn/tor/whatever doesn't affect browser's capability to save sessions.
But if you're not using any proxy/vpn then it doesn't matter since what I was thinking here was that you might have turned it on by accident and didn't notice.

So it seems that https://try.nodebb.org is experiencing some session management problems. The issue with disappearing categories can be solved by clearing your session cookie (it's just a session mismatch - your user doesn't exist anymore), but randomly mixing up sessions might be a bigger problem.

So now that I understand what the issue actually is:
When did you create your account on try.nodebb.org? Not the one you were logged into randomly, but the one you wanted to use.
If the database was wiped after you made your account and the browser still had a session cookie that miraculously matched a user session that someone else created.

In that case, other than being impressed at the sheer improbability of this happening, I don't think there is anything to do or change - in normal circumstances, without just wiping the sessions from database, I don't think you can create a duplicate session. It's not the Steam's Christmas 2015 bug where the session management failed for a large number of users and just gave random user data to everyone, but rather something that requires weird usage (restoring the site to previous state, or possibly direct db modification) and even then is an incredibly rare event.

You're wasting my time. This is not a support forum and I'm not looking for help. Use community forum if you want to share your opinions.

I'm using three browsers with common extensions installed - 1st what is expected for 95% of internet users (yes, end users are using ad-blockers), 2nd just one built-in extension and 3rd no extensions at all.

I have reported similar issues 5 or 6 years ago. People around the web tells NodeBB is not well tested. If you want to change it start to open your own issues.

I'm not going to moderate here. Be nice guys, that's the only rule on this tracker

After scheduled database reload. Categories are gone.

This sort of makes sense, the user has no privileges after the scheduled data wipe. Looks like that to me when I install NodeBB without setting up an account first. I wouldn't consider it a bug though. Right now the only concern is why your IP is different, and I have no answers for that. New account I'm assuming is correct IP?

You're wasting my time. This is not a support forum and I'm not looking for help. Use community forum if you want to share your opinions.

And I'm not trying to help you. I'm trying to see what is the problem you're reporting.

Because I am using NodeBB too and would prefer it to not have bugs too. And I think most users, including you (based on the fact that you reported an issue) would too.
So I'm asking you these things because, as this is an open source project, I might be able to contribute to fixing it. Or at least these are the things I believe would be helpful to devs in finding the source of this bug.

Trust me - it's hard to work on a bug when all you know is that there is a bug possibly connected to that part of the program (this case - sessions). And here that's the case:

From the original description I believed the issue was that your session didn't show correct IP.
From your second comment I understood that you were logged in as another user.

These are two completely different issues. I'm not entirely sure which one it really is, and I'd say some clarification is needed, because from @psychobunny's comment I think they also interpreted the issue like I did at first - wrong IP showed up in your session on your account.

One is something weird happening to request logging - not critical, but might worth fixing. Especially if it could allow one to bypass IP blacklist easily.

The other is potentially taking over another user's account.

Since from what I understood this specific issue only happened to you once on a demo forum that's explicitly reset every day, I proposed that the cause of this issue might be incredibly rare duplicate session ID.
UIDs generated by the default function in express-session don't actually have anything to stop one from being the same as an existing id. The chances of it happening are incredibly low. There are about 6*10^58 combinations of 24 bytes.

If this is what happened, most likely neither you nor any dev will be able to replicate this bug without some crazy amount of luck on your side. And it's not really a security vulnerability (though this could be fixed by adding a timestamp to the generated uid or something - express-session allows users to specify their own id generator, so it's something fixable in NodeBB), since the chances of it happening are extremely low.

However, if there were similar problems in the past or someone else experiences them, then it's probably a bigger problem and likely an actual security vulnerability that, if someone learned how to trigger manually, would be a critical exploit and would have to be fixed immediately.

@nhlpl everyone is welcome to share their opinions here and @oplik0 is trying to figure out what the issue might be. So please be nice to other users of NodeBB.

While we appreciate you taking the time to find bugs and report them your initial report didn't have any reproduction steps and not really clear on what the issue is which is why @oplik0 is asking these questions.

Did you create the nikhiljacobkp user? Was it someone else's account and were you logged into that one when you refreshed your page? https://try.nodebb.org/ gets wiped everyday at 4.30pm EST. All data and the session store is wiped so if you were logged in and refresh your page after the wipe you should get a session mismatch message and would need to register again. If this is not happening then that is a bug that needs to be fixed.

Your second screenshot seems to suggest after the wipe you weren't logged out and the header still shows you as logged in although a deleted user hence the A former User title.

Apparently try.nodebb.org wasn't wiping the session store everyday. Not sure if it caused this issue but it is fixed now. Let us know if this happens again.