We have discovered a very unpleasant behavior of RT if used with RT::Authen::External module with LDAP authentication enabled. The problem is that sometimes a RT site visitor (no credentials entered, no cookie set) gets automatically logged in with a session of another user, that was active before on another workstation. So user A gets into RT as user B without knowing the login credentials from user B.
This is a fresh installation of 3.8.9 (apache+fastcgi+mod_ssl), with two internal user (root and test) and LDAP authentication configured (version 0.08_01). Authentication works, i am able to login as external or internal user. The problem occurs with LDAP users and can be reproduced as following (WS = workstation): Apache (RT/fastcgi) is restarted, all ../var files are deleted between stop and start WS2: browser is down WS1: LDAP user A log in into RT WS2: LDAP user B starts the browser, browse to RT page => login mask WS2: LDAP user B shutdown the browser, starts is again, browse to RT page => logged in as LDAP user A So it happens never the first time and not automatically the second, but we were always able to reproduce it. We have tested with internal users also, but failed to reproduce the problem, probably more tries are required. I have no idea how i can analyse the problem, as nothing is logged into rt.log, if the session takeover happens, even not with debug and tracing enabled at the same time. Logging itself works fine, here is for example, what i get every time, when i am not logged in and browse to the RT url (normal entries?): [Thu Mar 3 17:25:03 2011] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/app/rt/rt-3.8.9/local/html/Elements/DoAuth:14) [Thu Mar 3 17:25:03 2011] [debug]: Attempting to use external auth service: AD1 (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:64) [Thu Mar 3 17:25:03 2011] [debug]: SSO Failed and no user to test with. Nexting (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:92) [Thu Mar 3 17:25:03 2011] [debug]: Attempting to use external auth service: AD2 (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:64) [Thu Mar 3 17:25:03 2011] [debug]: SSO Failed and no user to test with. Nexting (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:92) [Thu Mar 3 17:25:03 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/app/rt/rt-3.8.9/local/html/Elements/DoAuth:26) [Thu Mar 3 17:25:03 2011] [debug]: Attempting to use external auth service: AD1 (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:64) [Thu Mar 3 17:25:03 2011] [debug]: SSO Failed and no user to test with. Nexting (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:92) [Thu Mar 3 17:25:03 2011] [debug]: Attempting to use external auth service: AD2 (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:64) [Thu Mar 3 17:25:03 2011] [debug]: SSO Failed and no user to test with. Nexting (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:92) [Thu Mar 3 17:25:03 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/app/rt/rt-3.8.9/local/html/Elements/DoAuth:26) All i have is the apache access log (nothing unusual in error log), and the log entries of the situation when it happens: 10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET / HTTP/1.1" 200 13324 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13" "-" 10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET /NoAuth/images//favicon.png HTTP/1.1" 200 335 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13" "RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7" 10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET /NoAuth/images/bplogo.gif HTTP/1.1" 200 755 "https://orrt.mydomain/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13" "RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7" 10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET /NoAuth/images/css/rollup-arrow.gif HTTP/1.1" 200 82 "https://orrt.mydomain/NoAuth/css/web2/main-squished.css" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13" "RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7" 10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET /NoAuth/images//bplogo.gif HTTP/1.1" 200 755 "https://orrt.mydomain/NoAuth/css/web2/main-squished.css" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13" "RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7" Any hints how i can analyse/fix the problem are welcome. Thank you in advance! Regards, -michael