[rt-users] Session take over while using RT::Authen::External

2011-03-03 Thread Michael Polivanov 
We have discovered a very unpleasant behavior of RT if used with
RT::Authen::External module with LDAP authentication enabled. The
problem is that sometimes a RT site visitor (no credentials entered,
no cookie set) gets automatically logged in with a session of another
user, that was active before on another workstation. So user A gets
into RT as user B without knowing the login credentials from user B.

This is a fresh installation of 3.8.9 (apache+fastcgi+mod_ssl), with
two internal user (root and test) and LDAP authentication configured
(version 0.08_01). Authentication works, i am able to login as
external or internal user. The problem occurs with LDAP users and can
be reproduced as following (WS = workstation):

Apache (RT/fastcgi) is restarted, all ../var files are deleted between
stop and start

WS2: browser is down
WS1: LDAP user A log in into RT
WS2: LDAP user B starts the browser, browse to RT page => login mask
WS2: LDAP user B shutdown the browser, starts is again, browse to RT
page => logged in as LDAP user A

So it happens never the first time and not automatically the second,
but we were always able to reproduce it. We have tested with internal
users also, but failed to reproduce the problem, probably more tries
are required.

I have no idea how i can analyse the problem, as nothing is logged
into rt.log, if the session takeover happens, even not with debug and
tracing enabled at the same time. Logging itself works fine, here is
for example, what i get every time, when i am not logged in and browse
to the RT url (normal entries?):

[Thu Mar  3 17:25:03 2011] [debug]: Reloading RT::User to work around
a bug in RT-3.8.0 and RT-3.8.1
(/app/rt/rt-3.8.9/local/html/Elements/DoAuth:14)
[Thu Mar  3 17:25:03 2011] [debug]: Attempting to use external auth
service: AD1 (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Mar  3 17:25:03 2011] [debug]: SSO Failed and no user to test
with. Nexting (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Mar  3 17:25:03 2011] [debug]: Attempting to use external auth
service: AD2 (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Mar  3 17:25:03 2011] [debug]: SSO Failed and no user to test
with. Nexting (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Mar  3 17:25:03 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/app/rt/rt-3.8.9/local/html/Elements/DoAuth:26)
[Thu Mar  3 17:25:03 2011] [debug]: Attempting to use external auth
service: AD1 (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Mar  3 17:25:03 2011] [debug]: SSO Failed and no user to test
with. Nexting (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Mar  3 17:25:03 2011] [debug]: Attempting to use external auth
service: AD2 (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Mar  3 17:25:03 2011] [debug]: SSO Failed and no user to test
with. Nexting (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Mar  3 17:25:03 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/app/rt/rt-3.8.9/local/html/Elements/DoAuth:26)

All i have is the apache access log (nothing unusual in error log),
and the log entries of the situation when it happens:

10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET /
HTTP/1.1" 200 13324 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de;
rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13" "-"
10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET
/NoAuth/images//favicon.png HTTP/1.1" 200 335 "-" "Mozilla/5.0
(Windows; U; Windows NT 5.1; de; rv:1.9.2.13) Gecko/20101203
Firefox/3.6.13" "RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7"
10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET
/NoAuth/images/bplogo.gif HTTP/1.1" 200 755 "https://orrt.mydomain/";
"Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.13)
Gecko/20101203 Firefox/3.6.13"
"RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7"
10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET
/NoAuth/images/css/rollup-arrow.gif HTTP/1.1" 200 82
"https://orrt.mydomain/NoAuth/css/web2/main-squished.css"; "Mozilla/5.0
(Windows; U; Windows NT 5.1; de; rv:1.9.2.13) Gecko/20101203
Firefox/3.6.13" "RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7"
10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET
/NoAuth/images//bplogo.gif HTTP/1.1" 200 755
"https://orrt.mydomain/NoAuth/css/web2/main-squished.css"; "Mozilla/5.0
(Windows; U; Windows NT 5.1; de; rv:1.9.2.13) Gecko/20101203
Firefox/3.6.13" "RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7"

Any hints how i can analyse/fix the problem are welcome. Thank you in advance!

Regards,
-michael

Re: [rt-users] Session take over while using RT::Authen::External

2011-03-03 Thread Thomas Sibley 
On 03 Mar 2011 13:03, Michael Polivanov wrote:
> We have discovered a very unpleasant behavior of RT if used with
> RT::Authen::External module with LDAP authentication enabled. The
> problem is that sometimes a RT site visitor (no credentials entered,
> no cookie set) gets automatically logged in with a session of another
> user, that was active before on another workstation. So user A gets
> into RT as user B without knowing the login credentials from user B.

Is there a proxy between RT and your workstations?

Thomas

Re: [rt-users] Session take over while using RT::Authen::External

2011-03-03 Thread Thomas Sibley 
Please keep mail on the list, thanks.

On 03 Mar 2011 13:47, Michael Polivanov wrote:
> Yes, there is one. I thought already that this might be a reason, but
> the setup is SSL only, so i don't think the proxy thing will be able
> to cache anything.

You should test your scenario without any proxies involved.  If you can
still replicate it, then we can keep troubleshooting.  Otherwise, my
bets are on the proxy.

Thomas

Re: [rt-users] Session take over while using RT::Authen::External

2011-03-03 Thread Michael Polivanov 
On Thu, Mar 3, 2011 at 20:10, Thomas Sibley  wrote:
> Please keep mail on the list, thanks.

Ups, too fast reply. My bloody mistake ...

> You should test your scenario without any proxies involved.  If you can
> still replicate it, then we can keep troubleshooting.  Otherwise, my
> bets are on the proxy.

Will do so. But i am still unsure how a proxy server can interfere a
SSL connection in my case. I mean if the files would be cached by the
proxy, i wouldn't see the requests in apache log, especially not for
NoAuth objects, but i saw the every time when the problem occurred.

Regards,
-michael

Re: [rt-users] Session take over while using RT::Authen::External

2011-03-03 Thread Thomas Sibley 
On 03 Mar 2011 14:26, Michael Polivanov wrote:
> Will do so. But i am still unsure how a proxy server can interfere a
> SSL connection in my case. I mean if the files would be cached by the
> proxy, i wouldn't see the requests in apache log, especially not for
> NoAuth objects, but i saw the every time when the problem occurred.

In our experience, we haven't yet seen a cookie sharing problem that
wasn't a proxy or a misconfigured apache accelerator module (mod_cache,
etc).

Thomas

Re: [rt-users] Session take over while using RT::Authen::External

2011-03-04 Thread Michael Polivanov 
We have now tested it without proxy: same result, same problem. Can
this be a FastCGI issue?

Re: [rt-users] Session take over while using RT::Authen::External

2011-03-04 Thread Thomas Sibley 
On 04 Mar 2011 10:06, Michael Polivanov wrote:
> We have now tested it without proxy: same result, same problem. Can
> this be a FastCGI issue?

1) Can you send your entire Apache config (not just the RT vhost part)?
 Private mail to me is fine if you don't want to share it with the list.

2) Start up wireshark or tcpdump and see where and when the second
workstation gets the cookie.

Thomas

Re: [rt-users] Session take over while using RT::Authen::External

2011-03-07 Thread Michael Polivanov 
On Fri, Mar 4, 2011 at 17:09, Thomas Sibley  wrote:
> 1) Can you send your entire Apache config (not just the RT vhost part)?
>  Private mail to me is fine if you don't want to share it with the list.

Is attached

Regards


apache-conf.tgz
Description: GNU Zip compressed data

Re: [rt-users] Session take over while using RT::Authen::External

2011-03-08 Thread Michael Polivanov 
We were able to fix the issue (at least we believe it, more testing is
necessary) by starting standalone FastCGI RT server. Further analysis
of the issue is required, but as there are so many factors to consider
(Perl build, FastCGI, RH EL6, ...), it will take a while.

Re: [rt-users] Session take over while using RT::Authen::External

2011-07-12 Thread Vladimir Nikolic 
We had the same problem (FreeBSD 8.1, rt-3.8.10,
p5-RT-Authen-ExternalAuth-0.09, apache-2.2.19, ap22-mod_fastcgi-2.4.6_1).
Replacing mod_fastcgi with mod_perl (ap22-mod_perl2-2.0.5,3), solved the
problem.

Regards

-- 
Vladimir Nikolic | Sistemski administrator / System Administrator

Amis | Trzaska cesta 85 | 2000 Maribor | Slovenija
Tel: +386 080 20 10 | Faks: +386 2 620 6 333 | www.amis.net





2011 Training: http://bestpractical.com/services/training.html