[rt-users] SelfService users need to login twice

ktm at rice.edu ktm at rice.edu
Fri May 13 12:18:52 EDT 2011 

On Fri, May 13, 2011 at 11:56:19AM -0400, Kevin Falcone wrote:
> On Fri, May 13, 2011 at 10:37:44AM -0500, ktm at rice.edu wrote:
> > On Fri, May 13, 2011 at 10:27:05AM -0500, ktm at rice.edu wrote:
> > > Hi,
> > > 
> > > I am investigating a problem with the SelfService login page where
> > > unprivileged users must login two times in a row for it to succeed.
> > > I found this thread:
> > > 
> > > http://www.gossamer-threads.com/lists/rt/users/90794
> > > 
> > > and I think that my issue is the same. Unfortunately, I cannot
> > > find the original patch for 3.8.0 - 3.8.5 that I applied. Does
> > > anyone have a copy of the patch or an idea on how to debug this.
> > > 
> > > Regards,
> > > Ken
> > > 
> > 
> > I had to make the same change to:
> > 
> > share/html/Elements/SetupSessionCookie
> > 
> > as described in the thread to eliminate the double login.
> > Like the original thread, I am curious if there is a problem
> > with this fix or a better one? I am running 3.8.5.
> 
> I'm not sure which fix you're referencing, since my sha1 in that
> thread was for the 3.6 fix, which was a backport of 
> 84022062cec889f1cabf1d4a10e28b7b66addf23 from 3.8
> 
> This was a fix for users going to http://rt.server/ and logging in and
> losing the cookie when being redirected by mod_perl to
> http://rt.server/SelfService/
> 
> Again, not sure what fix you applied, so it's hard to comment further.
> 
> -kevin

It was the 3.8 session fixation patch.

Ken
.......................
> cat rt-3.8-session_fixation.patch 
--- ../rt-3.8.5/share/html/Elements/SetupSessionCookie	2009-09-15 02:23:22.000000000 +0900
+++ share/html/Elements/SetupSessionCookie	2009-09-30 08:17:57.000000000 +0900
@@ -53,11 +53,17 @@
 my %cookies      = CGI::Cookie->fetch;
 my $cookiename   = "RT_SID_". RT->Config->Get('rtname');
 $cookiename     .= ".". $ENV{'SERVER_PORT'} if $ENV{'SERVER_PORT'};
-$SessionCookie ||= ( $cookies{$cookiename} ? $cookies{$cookiename}->value : undef ),
+$SessionCookie = ( $cookies{$cookiename} ? $cookies{$cookiename}->value : undef );
 
 tie %session, 'RT::Interface::Web::Session', $SessionCookie;
 undef $cookies{$cookiename} unless $SessionCookie && $session{'_session_id'} eq $SessionCookie;
 
+unless ($session{'CurrentUser'} && $session{CurrentUser}->id) {
+	tied(%session)->delete;
+	undef $cookies{$cookiename};
+	tie %session, 'RT::Interface::Web::Session', undef;
+}
+
 if ( int RT->Config->Get('AutoLogoff') ) {
     my $now = int(time/60);
     my $last_update = $session{'_session_last_update'} || 0;

More information about the rt-users mailing list