Ok, thanks for the response, will check. Kind regards, Nicôle
-----Original Message----- From: k...@rice.edu [mailto:k...@rice.edu] Sent: Tuesday, July 12, 2011 1:47 PM To: Nicôle Layne-Balram Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] 3.8.x serious security issue with mixing On Tue, Jul 12, 2011 at 01:43:09PM -0400, Nicôle Layne-Balram wrote: > This is in response to an older thread that I do not think has been resolved > or at least I can't find a working resolution posted anywhere. > > The initial e-mail thread, logs and responses can be found here > http://www.mail-archive.com/rt-users@lists.bestpractical.com/msg23167.html. > > I'm running RT 3.8.8 and using RT-Authen-ExternalAuth 0.8. > > I'm not using a proxy (just straight apache with one RT instance), the > backend is remote MySQL and users have two options for authenticating - > LDAP/Active Directory or the local RT DB. > > A summary of what happens: > > User A logs in successfully, but is "served up" user B's session. When users > A looks top right for their username, they actually see someone else's > username and have access to their queues, etc as though user B had logged in. > User A would then have to log off and back on and most times doing this once > works. > > User A and B can be from different groups. There seems to be no pattern to > the accounts that are mixed up, and it happens quite randomly. Sometimes you > login fine (as yourself) for 15 tries, and then on 16th, all of a sudden > you're logged in as someone else. > > It happens often enough for it to be annoying and for then users to post > updates as others by mistake. > > It also happens on different browsers. > > In looking at the changelog for RT-Authen-ExternalAuth, I don't think that > the two updates since have addresses this issue, if that plug-in is to blame. > > Anyone had a similar issue, any ideas? > > Thanks. > > Kind regards, > Nicôle > Hi Nicole, These issues have been traced to mod_cache and other cookie caching problems previously. You do not need a proxy to have the problem. I would start looking there. Cheers, Ken -------- 2011 Training: http://bestpractical.com/services/training.html