[rt-users] ANSWER: That logout bug on 3.6.0

[Jesse Vincent]

I spent a while yesterday poking at the logout bug reported by many  
folks against RT 3.6.0. Turns out it's not one bug but several  
related bugs. And only some of them are in RT ;)

I believe I've got a fairly complete solution ready to go.


Issue 1: Apache::Session statement handle clobbering.

Inside our session handling library, Apache::Session, there's  
internal magic to cache database statement handles for increased  
performance. This is great in traditional application design, but  
falls over badly when, say, you have a redirect back to another page  
on the application and that redirect happens before the session is  
firmly disconnected. In RT 3.6, we mainstreamed an RT change which  
automatically redirects you to a ticket page after a create, reply or  
comment. We've changed RT's behaviour to more agressively clear its  
database connection, clear it before issuing the redirect header and  
do a couple other small things that should help

Issue 2: Host canonicalization.

RT 3.6 uses absolute URLs for redirects. as well as in a couple other  
places. As of 3.6.0, we're redirecting to your "canonical" RT  
hostname. RT cookies are tied to a hostname. If you can get to RT as  
http://foo.company.com and http://foo, this would also cause a new  
authentication request.


Both of these issues are fixed in the current Subversion tree, which  
will be released as RT 3.6.1pre1 later tonight. (Or tomorrow if I  
don't make it through before my flight).

Best,

Jesse
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20060718/c8443568/attachment.sig>