[rt-users] 3.6 continual re-login issue

Ole Craig ocraig at stillsecure.com
Wed Jul 19 13:51:25 EDT 2006 

On Wed, 2006-07-12 at 12:14 -0400, Covington, Chris wrote:
> On Tue, Jul 11, 2006 at 01:19:02PM -0500, Kaylea Hascall wrote:
> > 
> > Hello all,
> > 
> > I got fed up with trying to make my previous RT install work and removed it,
> > and now I'm running 3.6. The problems I was having with 3.4 are gone, but
> > there's a new problem.
> > 
> > Every time I click on anything, I have to log in again. It saves my 'state'
> > as I go -- logging in again gives me the 'result' of my click. Click, log in,
> > see confirmation screen, click, log in, see next menu, etc. Apache logs don't
> > reveal any problems, and RT isn't logging any errors to its logfile.
> > 
> > I searched the archives and corresponded with Shawn Plummer of CIT SUNY
> > Geneseo, who reported the same (or similar) issue to the list back when 3.6
> > came out, and neither of us have come to any resolution.
> > 
> > Has anyone found a fix for this problem? I'm running gentoo, mysql, apache2,
> > mod_perl -- a combination which worked under 3.4 right up until I broke it by
> > updating my perl modules. Maybe it is still a perl module versioning issue,
> > but I don't know which module to blame :/
> 
> Me neither.  I have had this problem for several months.  I'm using
> dev-perl/DBD-mysql-3.0004, perl 5.8.8, Mysql 5.0.19, FastCGI, apache 2.0.58.
> My workaround is to use Apache auth instead:
> 
> Set($WebExternalAuth , '1');
> Set($WebFallbackToInternalAuth , '1');
> Set($WebExternalGecos , undef);
> Set($WebExternalAuto , '1');
> 
> It would be nice to fix the problem (it's cookie-related) but I haven't
> been able to so far.

I had the exact same problem and it turned out to be PEBKAC. :-)
I was (of course) using Firefox to access the machine, and under the
"cookies" tab of Firefox's preferences I had the "unless I have removed
cookies set by the site" flag checked.

At some point I was testing logins for different pieces of RT, and I
removed RT's cookies. (In fact, at the moment I can't recall whether I
specifically removed RT's cookies, or if I just clicked the "clear all
cookies" button.) In any case, after that I had exactly the problem
Kaylea describes above, because Firefox saw that I had removed cookies
set by my RT site, and was thus dutifully discarding RT's authentication
cookie -- so my login credentials only lasted for one click.
  
-- 
/Ole Craig
Security Engineer

303-381-3802 (main support hotline)
303-381-3824 (my direct line)
303-381-3801 (fax)

www.stillsecure.com
. . .

More information about the rt-users mailing list