[rt-users] SelfService users need to login twice

[ktm at rice.edu]

On Fri, May 13, 2011 at 12:36:55PM -0400, Kevin Falcone wrote:
> On Fri, May 13, 2011 at 11:18:52AM -0500, ktm at rice.edu wrote:
> > On Fri, May 13, 2011 at 11:56:19AM -0400, Kevin Falcone wrote:
> > > On Fri, May 13, 2011 at 10:37:44AM -0500, ktm at rice.edu wrote:
> > > > On Fri, May 13, 2011 at 10:27:05AM -0500, ktm at rice.edu wrote:
> > > > > Hi,
> > > > > 
> > > > > I am investigating a problem with the SelfService login page where
> > > > > unprivileged users must login two times in a row for it to succeed.
> > > > > I found this thread:
> > > > > 
> > > > > http://www.gossamer-threads.com/lists/rt/users/90794
> > > > > 
> > > > > and I think that my issue is the same. Unfortunately, I cannot
> > > > > find the original patch for 3.8.0 - 3.8.5 that I applied. Does
> > > > > anyone have a copy of the patch or an idea on how to debug this.
> > > > > 
> > > > > Regards,
> > > > > Ken
> > > > > 
> > > > 
> > > > I had to make the same change to:
> > > > 
> > > > share/html/Elements/SetupSessionCookie
> > > > 
> > > > as described in the thread to eliminate the double login.
> > > > Like the original thread, I am curious if there is a problem
> > > > with this fix or a better one? I am running 3.8.5.
> > > 
> > > I'm not sure which fix you're referencing, since my sha1 in that
> > > thread was for the 3.6 fix, which was a backport of 
> > > 84022062cec889f1cabf1d4a10e28b7b66addf23 from 3.8
> > > 
> > > This was a fix for users going to http://rt.server/ and logging in and
> > > losing the cookie when being redirected by mod_perl to
> > > http://rt.server/SelfService/
> > > 
> > > Again, not sure what fix you applied, so it's hard to comment further.
> > > 
> > > -kevin
> > 
> > It was the 3.8 session fixation patch.
> 
> So, that fixed the double login or caused it?
> 
> -kevin

It caused it. I removed the second half of the test in the unless
just like the mention in the thread. Then it worked again, but 
with what consequences?

Ken