[rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]

Arkadiusz Miskiewicz arekm at maven.pl
Tue Nov 3 02:49:47 EST 2009


On Monday 02 of November 2009, Jesse Vincent wrote:
> > Cache: no-cache but that will prevent caching at all. Seem to be no way
> > to prevent caching cookies from application side.
> 
> What's the current state of browser in-memory/on-disk caching with the
> Cache: no-cache header?
> 
> The attached patch against 3.8.6 might be the right solution for you. I'd
> consider making this change to RT if you can report back and tell me if
> it does the right thing for you:

This patch doesn't solve the issue. People still get mixed sessions (test was 
done after deleting all sessions from sessions table and restarting apache).

> diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
> index b82b638..dccf829 100755
> --- a/lib/RT/Interface/Web.pm
> +++ b/lib/RT/Interface/Web.pm
> @@ -279,7 +279,6 @@ sub MaybeShowNoAuthPage {
>      return unless $m->base_comp->path =~
>  RT->Config->Get('WebNoAuthRegex');
> 
>      # If it's a noauth file, don't ask for auth.
> -    SendSessionCookie();
>      $m->comp( { base_comp => $m->request_comp }, $m->fetch_next, %$ARGS );
>      $m->abort;
>  }
> 


-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/



More information about the rt-users mailing list