On Friday 23 of October 2009, Jesse Vincent wrote: > On Fri, Oct 23, 2009 at 11:24:01AM +0200, Arkadiusz Miskiewicz wrote: > > I have a very serious security problem with 3.8 installation (3.8.6 > > currently). > > > > Logged User sessions are being mixed up. One logged user is becoming > > another logged user as seen by rt. It happens in different moments. > > > > For example I'm user A and after clicking to view some ticket I become > > user B. > > > > Or I'm logged in into user A but suddently I get monit about need to log > > in and after loging in with user A data I'm becoming user C (in this case > > "Successful login for .." isn't logged into logs). > > > > Tried using default settings (session keept in mysql) but also > > Apache::Session::File. Problem happens in both cases. I'm using mod_perl > > to run rt. > > I don't think I've ever seen this wtih RT, but I have seen it with other > applications - the cause is _usually_ an HTTP proxy that's caching RT's > pages. Do you have any sort of HTTP proxy between your browsers and your > server?
No proxy. Also rt is served over https. The session is really changing user because when trying to do something that user A has access to I get permission denied due to B/C not having that access. Something else is going on. > -jesse -- Arkadiusz MiĆkiewicz PLD/Linux Team arekm / maven.pl http://ftp.pld-linux.org/ _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com