[rt-users] RT_SID cookie not invalidated at logout

Thomas Sibley trs at bestpractical.com
Tue Feb 19 22:24:56 EST 2013


On 02/19/2013 04:32 PM, Jenny Martin wrote:
> I use RT on several computers, and found that changes I made to RT-at-a-glance
> on one were not seen when I re-logged in on another.  The browser is presenting
> the RT_SID cookie from a previous session, and RT then seems to use the cached
> RT-at-a-glance data perhaps from /opt/rt4/var/session_data.

The configuration of "RT at a glance" is indeed stored in the session.
This means that if you have two sessions, you'll need to logout of the
second and log back in before you'll see changes made by the first.
It's generally a minor annoyance since the configuration of the RT at a
glance page doesn't usually change very often.

RT invalidates the current session on logout, but of course it doesn't
invalidate any other sessions the same user may have otherwise you'd be
logged out of your other devices.

> Also if I logout of RT and log in again as a different user, the new user is
> authenticated correctly and gains the correct rights, but gets the (broken)
> RT-at-a-glance settings of the previous user.

This claim is very different and suggests that RT is mixing sessions
between users.  I doubt that is happening; all previous cases of mixed
sessions between different users was caused by improper caching layers
at the webserver or network level.  Do you have mod_cache enabled in Apache?

Please verify you can reproduce this reliably, and then submit the
reproduction steps.  If possible, include a network trace (using a wire
sniffer or something like Firebug/Web inspector in your browser).

> I am running RT 4.0.10 with mod_fcgid 2.3.6 and RT-Authen-ExternalAuth ldap
> authentication.

Thanks for the RT version; it's good to see someone running the latest
when reporting issues.



More information about the rt-users mailing list