On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote: Today it happened to me. I suddently became user B in rt (opera). The real user B had his PC running with rt opened (firefox) with autorefresh every 2 minutes set but he was away from his computer.
Now I verified his and mine RT_SID cookie and... I have his cookie aka we both use the same cookie. I log session_id in rt.log at login, so I also checked that and had login for user B with that cookie logged in rt.log 20 minutes ago. sessions table in mysql contained that session_id of course. My initial cookie that I logged in as user A was also there in sessions table. So at the end I and user B we both have active sessions as user B with the same cookie. I even did few steps through rt on both computers to see if session_id will change but no - we are still logged in and still use the same session_id/cookie. (feature request: what I miss now is to make session contain IP address information for better security - so that session would work only from that one IP) -- Arkadiusz MiĆkiewicz PLD/Linux Team arekm / maven.pl http://ftp.pld-linux.org/ _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
