Re: [rt-users] RT_SID cookie not invalidated at logout
On 02/21/2013 03:29 PM, Jenny Martin wrote: >> I've dug into this. Are you by chance using Oracle for the RT database? >> If not, are you explicitly setting the $WebSessionClass option to >> Apache::Session::File? >> > > Thanks for investigating. Yes, we are using Oracle. WebSessionClass is > default, which is commented out. On Oracle, RT defaults to using Apache::Session::File instead of storing sessions in the database (for historical reasons). If you're up for it, try switching to Apache::Session::Oracle. 1) Install it: sudo cpan -i Apache::Session::Oracle 2) Add this line to your /opt/rt4/etc/RT_SiteConfig.pm: Set($WebSessionClass, "Apache::Session::Oracle"); 3) Restart Apache This should fix your problem. If you experience other issues, you can revert back to the original behaviour by commenting out or removing the line you added to RT_SiteConfig.pm above and restarting Apache again. Let us know how that works. Thomas -- RT training in Amsterdam, March 20-21: http://bestpractical.com/services/training.html Help improve RT by taking our user survey: https://www.surveymonkey.com/s/N23JW9T
Re: [rt-users] RT_SID cookie not invalidated at logout
> I've dug into this. Are you by chance using Oracle for the RT database? > If not, are you explicitly setting the $WebSessionClass option to > Apache::Session::File? > > Thomas > Thanks for investigating. Yes, we are using Oracle. WebSessionClass is default, which is commented out. -- RT training in Amsterdam, March 20-21: http://bestpractical.com/services/training.html Help improve RT by taking our user survey: https://www.surveymonkey.com/s/N23JW9T
Re: [rt-users] RT_SID cookie not invalidated at logout
On 02/20/2013 06:07 PM, Jenny Martin wrote: > All our users authenticate using their LDAP credentials via > RT-Authen-ExternalAuth plugin. I just tried creating a local user, and > RT does the right thing when the local user logs in - it sends back a > new cookie and removes the old session data. So the problem seems to be > with the RT-Authen-ExternalAuth plugin. > > We recently upgraded from RT 4.0.4/ExternalAuth 0.9 to > RT4.0.10/ExternalAuth0.13. I can't be sure the problem didn't exist > before, but I didn't notice it. I've dug into this. Are you by chance using Oracle for the RT database? If not, are you explicitly setting the $WebSessionClass option to Apache::Session::File? Thomas -- RT training in Amsterdam, March 20-21: http://bestpractical.com/services/training.html Help improve RT by taking our user survey: https://www.surveymonkey.com/s/N23JW9T
Re: [rt-users] RT_SID cookie not invalidated at logout
All our users authenticate using their LDAP credentials via RT-Authen-ExternalAuth plugin. I just tried creating a local user, and RT does the right thing when the local user logs in - it sends back a new cookie and removes the old session data. So the problem seems to be with the RT-Authen-ExternalAuth plugin. We recently upgraded from RT 4.0.4/ExternalAuth 0.9 to RT4.0.10/ExternalAuth0.13. I can't be sure the problem didn't exist before, but I didn't notice it. -- RT training in Amsterdam, March 20-21: http://bestpractical.com/services/training.html Help improve RT by taking our user survey: https://www.surveymonkey.com/s/N23JW9T
Re: [rt-users] RT_SID cookie not invalidated at logout
On 02/20/2013 12:00 PM, Jenny Martin wrote: > It looks like the session is not invalidated on logout. The cookie is > still valid in my browser, and the corresponding session is still > present in session-data. The cookie being valid doesn't matter. What matters is that RT invalidates the session on the server-side, so it can't be reused. > I attach an http trace and you can see that the logout response > explicitly sets the old cookie. I have disabled mod_cache and > mod_disk_cache. No web proxies in use. Thank you for the trace. Please send your Apache config as well, and keep replies on list for posterity. Do you have any local customizations to RT? -- RT training in Amsterdam, March 20-21: http://bestpractical.com/services/training.html Help improve RT by taking our user survey: https://www.surveymonkey.com/s/N23JW9T
Re: [rt-users] RT_SID cookie not invalidated at logout
On 02/19/2013 04:32 PM, Jenny Martin wrote: > I use RT on several computers, and found that changes I made to RT-at-a-glance > on one were not seen when I re-logged in on another. The browser is > presenting > the RT_SID cookie from a previous session, and RT then seems to use the cached > RT-at-a-glance data perhaps from /opt/rt4/var/session_data. The configuration of "RT at a glance" is indeed stored in the session. This means that if you have two sessions, you'll need to logout of the second and log back in before you'll see changes made by the first. It's generally a minor annoyance since the configuration of the RT at a glance page doesn't usually change very often. RT invalidates the current session on logout, but of course it doesn't invalidate any other sessions the same user may have otherwise you'd be logged out of your other devices. > Also if I logout of RT and log in again as a different user, the new user is > authenticated correctly and gains the correct rights, but gets the (broken) > RT-at-a-glance settings of the previous user. This claim is very different and suggests that RT is mixing sessions between users. I doubt that is happening; all previous cases of mixed sessions between different users was caused by improper caching layers at the webserver or network level. Do you have mod_cache enabled in Apache? Please verify you can reproduce this reliably, and then submit the reproduction steps. If possible, include a network trace (using a wire sniffer or something like Firebug/Web inspector in your browser). > I am running RT 4.0.10 with mod_fcgid 2.3.6 and RT-Authen-ExternalAuth ldap > authentication. Thanks for the RT version; it's good to see someone running the latest when reporting issues. -- RT training in Amsterdam, March 20-21: http://bestpractical.com/services/training.html Help improve RT by taking our user survey: https://www.surveymonkey.com/s/N23JW9T
