However I have an idea, before doing the testing I deactivated these plugins: 

Two Factor Authentication

User IP Tracker

Link Track

I'm sorry but I could not reproduce the issue on your test website. 

You will need to provide more detailed steps how to reproduce the issue

There are now 160 members on my site, so the risks are getting higher.  The worst cases are when other users become another user, or in the very worst case they become administrator on the site and in much worser cases they might have the idea to destroy the site.  I don't like to suspect members having the intention to destroy the site but certainly some non-members could harm as guests can also become a user without signing in.

I need lots of testers in my test environments.  I give access to any volunteer.  Just send me a private message for the details.  I just hope that somebody finds the trouble with the site or its cookie behaviour.

Also if using cloudflare disable all minify scripts and rocket loaders.

make this all bare bones. then delete the cache from your browser and go to your site and 1 by one start enabling a cache service and use your site for a day and see if it happens again. if it doesn't happen then enable your next cache.

All in all I would only use just varnish. I found other cache scripts interfere with varnish a lot.

this is 100% a cache issue.

You should share your domain and then i can further investigate. That is a critical part to solving this is to let some one know your sites domain so they can look at it.

I hope you are right.  I would be happy to conclude that the problem is due to wrong caching on my virtual machines, rather than that it would be a property of the webscript.

I did the following.

I kept the Varnish server for caching, but cleaned all cache and rebooted the whole virtual machine.  The cache is held in the memory anyway.  So the reboot would have been enough for dropping that cache.

I stopped the memcache service and prevented this service at boot for the webserver.

I restarted the whole Virtual machine after that.

I didn't use apc, mongodb.  I'm not using cloudflare.

php-fpm is being used but I don't think it influences cache.

I'll send you the test domain in a private message.  The test domain was a copy of the production site some weeks ago.  It's running on the same server but with a specific subdomain in the URL.  Ross and Bobbi didn't experience the same problems yet on that test domain.

If a problem occurred in the live site since disabling the memcache, I'll post it here.

So far i do not see anything out of the ordinary.

I went ahead add tried to spoof cookie sessions to see if it would load my test account in a separate browser and it wants me to sign in so not a cookie issue it seems to be working correctly.

This makes me feel even stronger about it being memcache that was causing your issue.

I had disabled memcached too in the past but did not clean the Varnish cache that time.  The problem occurred while memcached was disabled.

But let's see after a few days, as the servers have been rebooted and Varnish was cleared up too.

Here is another example of memcached causing this 

Two Factor AuthenticationUser IP TrackerLink Track

as I did all the testing on your test website and did not get in any other user accounts ?

Unfortunately, even hardly 24 hours after turning off the memcache I'm in trouble again.

I was looking at my site without being logged on.  Then 5 minutes later, I seemed to be logged on as another user.  See printscreen.  I logged off immediately.  My courage is sinking again after the enthousiastic assumption yesterday that memcache would play a role.

Ross,

All plugins had been disabled in the test environment before.  They were all enabled again yesterday as I want that somebody would suddenly see the same situatoin in the test environment.  Nobody could simulate it sofar.  Just the domain name cannot be the problem.

If I would disable all plugins on the live site (which breaks all the nice features I paid for) , what advantage would it give except the possible conclusion after more than 1 week that it's probably a strange behaviour of a plugin ?  I prefer somebody discovers what's going on while being in the test environment so that we can trace it.

I consider giving you a profile and a phpmyadmin access and perhaps even SSH access if nobody finds the trouble in the test environment.  But no option may be changed on the live site.  What do you think ?

With kind regards,

Alain.

That won't do, I need to disable the plugins and any javascript code you have on your live site as well, as disabling plugins on test website led to the issue not occurring again. This way we can exclude the fact that some plugin causes that. 

I ruled out Ip tracker because it doesn't use session cookies for current browsing. However the 2 step auth does.  I just finally was able to regenerate your site error and was logged in as a different user.

I had full account control of it so this means i was fully using the last persons cookie which is scary because this could happen to your admin account. Remove that 2 step auth before your site gets in the wrong hands.

Message to Ross

This 2 step auth plugin is very harmful to oxwall and you should have the Devs look into it to see what exactly is causing the exploit.  This could be bad if there are a lot of users using it.

Varnish is out of the way now as of 21h20 Belgian time ==> All traffic goes from firewall directly to the main webserver.  (Actually via KeepAlive service.  The spare webserver is not always up-to-date and takes only over if there's no connection with the main webserver).

The test site is now also without Varnish as this website is on the same server.

So at this moment the websites are currently running WITHOUT VARNISH & WITHOUT MEMCACHE.  My site is a noticeable slower now without Varnish.

From historical point of view, I can rule out that the 2 Step Authentications plugin is part of the problem.  I had installed this plugins in the hope I would have more safety as I was already suffering from mixed user sessions before and a terror visitor took already opportunity to remove stuff from my site.

I have little doubts about IP Tracker but I had installed it on the 21st of April according to the file stamp and I had already seen the problem of mixed users with users that joined on the 30th of March.  I might be mistaken here but I remember I even tested the site with a disabled IP tracker : the problem was still there with IP tracker disabled.

I just deactivated the 2FA (2 Factor Authentication) plugin right now based on Ross' remark.  I was the only one using it anyway.  But as I told before, the problem was already there before 2FA was present.

Just now, I deactivated the IP tracker too on the Production site.

Let me summarize the situation now.

No Varnish

No Memcache

Production site : no 2FA, no IP Tracker

The IP Tracker is still active on the test site but you may play with the test site for any experiment.  Except from rebooting the server (if you would be able to) :-)

Message to JosWho :

I'm actually happy to hear from you that you experienced the same problem with mixed user sessions.  At least one thing is proven : that I'm not telling weird nonsense. :-)

With that being said, I will need the exact steps or time how and when to reproduce that, otherwise we won'be able to assist you. 

As to the Josh experiencing the same issue, he reproduced that, I believe, with the 2steps auth plugin enabled. 

I understand you completely.  You have already done much and I appreciated that.  You don't need to search for the problem.

I keep you informed once it happens again somehow and then I'll post all steps and details that I discovered.

Perhaps Josh wants to be kept informed.  I'll tell him my results.  So far, 24 hours without issue on the Production site as it seems.

About 3 days without mixed user sessions now.  At least, I think they didn't happen as it didn't happen with me.

Varnish and memcache are still excluded but I see that the other strange symptom appeared.  See printscreen.  A message out of nowhere.  Always 2 random characters.  I do see that this user was logged on but I'm sure he doesn't write such silly newsfeeds with 2 characters only.  I really don't understand how this message can be created.

Happened around 21:25 my time but I don't see anything special in the Apache logs.

I forgot to log off from my computer yesterday evening and had just shut down my computer.

This morning I started up the computer, started my browser, then the first page was with my avatar (maybe browser cache) but one click further I saw that my avatar had changed.  So I was another user.

I really must be believe that there's a serious bug in de code.

I turn on the Varnish communication and the memcache service as there's no difference for the risk for the mix of user sessions.  At least my website will be faster again.

I continue this story later, by focussing on the test website again.  I need to know what is the cause.  I'll disable all plugins there and I'll inform JoshWho.

What i have now is OPcache by Zend.   Works perfect with oxwall.

I can consider using OPcache but honestly, the problem must be related with the code, don't you think so ?  Plugins, browser cache, cookies.....a specific combination causes the problem.

Send as many test users to the test site if you wish.  There must be a way to discover the source of the problem.

I consider setting a brand new virtual machine from scratch but with CentOS on it.  I'll let you know if that will change the situation.  But that's just fishing in the dark.