Re: [rt-users] Some users getting CSRF warnings when creating tickets?

2016-09-27 Thread Todd Wade 

On 9/27/16 9:17 AM, Alex Hall wrote:

That makes me wonder: would having two subdomains do it? I have
tickets.domain.com and rt.domain.com both going to the same thing,
but rt.autodist.com is the actual domain in the configuration files.


Yes this would do it. There is a config option to allow you to bypass 
the CSRF warning for the additional domains:


https://docs.bestpractical.com/rt/4.4.1/RT_Config.html#ReferrerWhitelist

-
RT 4.4 and RTIR training sessions, and a new workshop day! 
https://bestpractical.com/training
* Boston - October 24-26
* Los Angeles - Q1 2017

Re: [rt-users] Some users getting CSRF warnings when creating tickets?

2016-09-27 Thread Sean Cwiek 
Hey Alex,

We’ve seen this when users are jumping between the http and https versions of 
our RT instance.  Advising everyone to login at the https address seemed to 
resolve it for us.

Thanks.

-Sean

From: rt-users [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of 
Alex Hall
Sent: Monday, September 26, 2016 4:07 PM
To: rt-users 
Subject: [rt-users] Some users getting CSRF warnings when creating tickets?

Hi all,
We're starting to have more people test RT now. Oddly, the two who just started 
trying it out get CSRF warnings when they try to make or update tickets, while 
no one else does. They are using Chrome, but so is a guy who is *not* getting 
the warnings. We're all in the same building, thus on the same network. Any 
idea why this might be happening? My Nginx log for RT doesn't include anything 
about this, and my RT log is empty. Thanks.

--
Alex Hall
Automatic Distributors, IT department
ah...@autodist.com
-
RT 4.4 and RTIR training sessions, and a new workshop day! 
https://bestpractical.com/training
* Boston - October 24-26
* Los Angeles - Q1 2017

Re: [rt-users] Some users getting CSRF warnings when creating tickets?

2016-09-27 Thread Alex Hall 
That makes me wonder: would having two subdomains do it? I have
tickets.domain.com and rt.domain.com both going to the same thing, but
rt.autodist.com is the actual domain in the configuration files. I wonder
if starting from tickets.domain.com would cause this warning, as the
browser sees one domain trying to do action on what it thinks is a
different one? I'll have people stick to rt.domain.com and see if that
makes a difference.

On Tue, Sep 27, 2016 at 8:23 AM, Sean Cwiek  wrote:

> Hey Alex,
>
>
>
> We’ve seen this when users are jumping between the http and https versions
> of our RT instance.  Advising everyone to login at the https address seemed
> to resolve it for us.
>
>
>
> Thanks.
>
>
>
> -Sean
>
>
>
> *From:* rt-users [mailto:rt-users-boun...@lists.bestpractical.com] *On
> Behalf Of *Alex Hall
> *Sent:* Monday, September 26, 2016 4:07 PM
> *To:* rt-users 
> *Subject:* [rt-users] Some users getting CSRF warnings when creating
> tickets?
>
>
>
> Hi all,
>
> We're starting to have more people test RT now. Oddly, the two who just
> started trying it out get CSRF warnings when they try to make or update
> tickets, while no one else does. They are using Chrome, but so is a guy who
> is *not* getting the warnings. We're all in the same building, thus on the
> same network. Any idea why this might be happening? My Nginx log for RT
> doesn't include anything about this, and my RT log is empty. Thanks.
>
>
> --
>
> Alex Hall
>
> Automatic Distributors, IT department
>
> ah...@autodist.com
>



-- 
Alex Hall
Automatic Distributors, IT department
ah...@autodist.com
-
RT 4.4 and RTIR training sessions, and a new workshop day! 
https://bestpractical.com/training
* Boston - October 24-26
* Los Angeles - Q1 2017