[rt-users] Session take over while using RT::Authen::External

Michael Polivanov greylisted at gmail.com
Thu Mar 3 13:03:13 EST 2011


We have discovered a very unpleasant behavior of RT if used with
RT::Authen::External module with LDAP authentication enabled. The
problem is that sometimes a RT site visitor (no credentials entered,
no cookie set) gets automatically logged in with a session of another
user, that was active before on another workstation. So user A gets
into RT as user B without knowing the login credentials from user B.

This is a fresh installation of 3.8.9 (apache+fastcgi+mod_ssl), with
two internal user (root and test) and LDAP authentication configured
(version 0.08_01). Authentication works, i am able to login as
external or internal user. The problem occurs with LDAP users and can
be reproduced as following (WS = workstation):

Apache (RT/fastcgi) is restarted, all ../var files are deleted between
stop and start

WS2: browser is down
WS1: LDAP user A log in into RT
WS2: LDAP user B starts the browser, browse to RT page => login mask
WS2: LDAP user B shutdown the browser, starts is again, browse to RT
page => logged in as LDAP user A

So it happens never the first time and not automatically the second,
but we were always able to reproduce it. We have tested with internal
users also, but failed to reproduce the problem, probably more tries
are required.

I have no idea how i can analyse the problem, as nothing is logged
into rt.log, if the session takeover happens, even not with debug and
tracing enabled at the same time. Logging itself works fine, here is
for example, what i get every time, when i am not logged in and browse
to the RT url (normal entries?):

[Thu Mar  3 17:25:03 2011] [debug]: Reloading RT::User to work around
a bug in RT-3.8.0 and RT-3.8.1
(/app/rt/rt-3.8.9/local/html/Elements/DoAuth:14)
[Thu Mar  3 17:25:03 2011] [debug]: Attempting to use external auth
service: AD1 (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Mar  3 17:25:03 2011] [debug]: SSO Failed and no user to test
with. Nexting (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Mar  3 17:25:03 2011] [debug]: Attempting to use external auth
service: AD2 (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Mar  3 17:25:03 2011] [debug]: SSO Failed and no user to test
with. Nexting (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Mar  3 17:25:03 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/app/rt/rt-3.8.9/local/html/Elements/DoAuth:26)
[Thu Mar  3 17:25:03 2011] [debug]: Attempting to use external auth
service: AD1 (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Mar  3 17:25:03 2011] [debug]: SSO Failed and no user to test
with. Nexting (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Mar  3 17:25:03 2011] [debug]: Attempting to use external auth
service: AD2 (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Mar  3 17:25:03 2011] [debug]: SSO Failed and no user to test
with. Nexting (/app/rt/rt/bin/../local/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Mar  3 17:25:03 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/app/rt/rt-3.8.9/local/html/Elements/DoAuth:26)

All i have is the apache access log (nothing unusual in error log),
and the log entries of the situation when it happens:

10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET /
HTTP/1.1" 200 13324 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de;
rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13" "-"
10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET
/NoAuth/images//favicon.png HTTP/1.1" 200 335 "-" "Mozilla/5.0
(Windows; U; Windows NT 5.1; de; rv:1.9.2.13) Gecko/20101203
Firefox/3.6.13" "RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7"
10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET
/NoAuth/images/bplogo.gif HTTP/1.1" 200 755 "https://orrt.mydomain/"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.13)
Gecko/20101203 Firefox/3.6.13"
"RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7"
10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET
/NoAuth/images/css/rollup-arrow.gif HTTP/1.1" 200 82
"https://orrt.mydomain/NoAuth/css/web2/main-squished.css" "Mozilla/5.0
(Windows; U; Windows NT 5.1; de; rv:1.9.2.13) Gecko/20101203
Firefox/3.6.13" "RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7"
10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] "GET
/NoAuth/images//bplogo.gif HTTP/1.1" 200 755
"https://orrt.mydomain/NoAuth/css/web2/main-squished.css" "Mozilla/5.0
(Windows; U; Windows NT 5.1; de; rv:1.9.2.13) Gecko/20101203
Firefox/3.6.13" "RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7"

Any hints how i can analyse/fix the problem are welcome. Thank you in advance!

Regards,
-michael



More information about the rt-users mailing list