This was quite tricky. It turns out this was not a Remedy problem per se - it was a problem with the netscaler router and the sticky session settings for Websphere. Locking all of this down has apparently resolved the problem. I can't reproduce the problem anymore. However....a security guru might be able to find a way to exploit this. It was essentially giving you the UID of the person who logged in prior to you by sending the wrong user session to the browser after you had authenticated in. William Rentfrow Principal Consultant, StrataCom [EMAIL PROTECTED] O 952-432-0227 C 701-306-6157
________________________________ From: Action Request System discussion list(ARSList) on behalf of Axton Sent: Mon 4/21/2008 4:32 PM To: arslist@ARSLIST.ORG Subject: Re: Wrong UID being used by mid-tier 7.1 How is authentication performed (customized login.jsp and/or custom area plugin)? Axton Grams On Mon, Apr 21, 2008 at 5:15 PM, William Rentfrow <[EMAIL PROTECTED]> wrote: > ** > > We are having an interesting problem (actually, a series of far-too > interesting problems, but this is the most recent). > > Vital stats - this is a remote mid-tier box running on Websphere/IBM HTTP > server. ARS 7.1 patch 001, mid-tier the same - all on Solaris. > > Sporadically we run into an issue where user "A" will log in to the mid-tier > and see themselves as user "B". That is to say, the UID in the bottom > corner will say user B's login ID. The table fields in the IM Console all > show the Incidents assigned to user "B" even though we are 100% sure the > correct UID/Password for user A were used. > > Guest logins are not allowed and are disabled. > > I have experienced this myself so I know the users are not crazy.... > > The only thing that appears to fix it is to bounce Websphere. > > Anyone else ever seen this? When this happens it appears the login ID that > is used is the last successful login prior to the one that shows the wrong > one. > > William Rentfrow, Principal Consultant > [EMAIL PROTECTED] > C 701-306-6157 > O 952-432-0227 > __Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" > html___ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
