[rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
Arkadiusz Miskiewicz
arekm at maven.pl
Mon Nov 2 02:13:35 EST 2009
On Friday 30 of October 2009, Jesse Vincent wrote:
> On Fri, Oct 30, 2009 at 03:13:33PM +0100, Arkadiusz Miskiewicz wrote:
> > On Friday 23 of October 2009, Arkadiusz Miskiewicz wrote:
> > > On Friday 23 of October 2009, Jesse Vincent wrote:
> > > > I don't think I've ever seen this wtih RT, but I have seen it with
> > > > other applications - the cause is _usually_ an HTTP proxy that's
> > > > caching RT's pages. Do you have any sort of HTTP proxy between your
> > > > browsers and your server?
> > >
> > > No proxy. Also rt is served over https.
> >
> > There is no proxy but apache serving rt had mod_cache module installed
> > which turns out to be caching cookies!
> >
> > Nightmare to track. Uninstalled and so far everything is working nicely.
> >
> > Now the question is can anything be done on rt level to prevent mod_cache
> > from cacheing such stuff and actually creating security issues?
>
> Well, what does mod_cache need to know not to cache requests?
Cache: no-cache but that will prevent caching at all. Seem to be no way to
prevent caching cookies from application side.
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
More information about the rt-users
mailing list