[rt-users] [bug report] intermittent login / sessioning problem

Rick Bradley rt-users at rickbradley.com
Fri Sep 27 09:33:14 EDT 2002

> Bug Report Summary
> ------------------
> Behavior Expected:  Web interface should allow logins for known active
>                     users
> Behavior Observed:  Periodically the web interface will deny logins
>                     for any valid user, returning a "Your username or
>                     password is incorrect" message.  Once a sequence
>                     of steps is taken (described below) the problem
>                     disappears.  The problem recurs periodically.
> Versions:           RT-2.0.14 from source, Debian Linux (kernel SMP
>                     2.4.19), Apache 1.3.26, MySQL 3.23.52

Additional information

I can reliably trigger this behavior in the following manner (note that
this is almost certainly not how we reach this no-login state in normal

 - log in as a valid user and do not log out
 - stop the Apache web server
 - delete the session files in WebRT/sessiondata
 - start the Apache web server
 - on the still-open logged in web page click a link

User is forcibly logged out and no users can log in again until the
"fix" script I included in the initial report is run.

There is some other means of triggering this problem through normal
usage.  Note that I disabled the sessiondata cleanup cron job after a
couple of days of dealing with this problem so that's not triggering
this lockout behavior.

By modifying the login error messages in WebRT/data/obj/standard/autohandler 
I have been able to determine that the "Your username or password is
incorrect" is coming from line 62 of that file.  This is where the
session's password is checked, but my guess is the session data as
retrieved is invalid and should be invalidated before checking.  Not
being familiar with the code it would take me a while to identify a fix.

 http://www.rickbradley.com    MUPRN: 333    (64F/64F)
                       |  think it got hit by
   random email haiku  |  lightning or something." So, I
                       |  think that one's no go.

More information about the rt-users mailing list