[rt-users] unprivileged users need to log in twice

Jesse Vincent jesse at bestpractical.com
Wed Dec 9 13:56:54 EST 2009


David,

This is only the second report we've had of this failure mode, but it
_is_ the second report. 

On Wed, Dec 09, 2009 at 10:50:48AM -0800, David Griffith wrote:
> 
> Debian 5.0 upgraded fixed a session fixation vulnerability on December 1, 
> 2009 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559020).  It seems 
> that when this happened, my installation now requires unprivileged users 
> to log in twice. 

What version of RT are you using? Have you customized it in any way? Are
you using only RT's built-in authentication system?

> At the first login, the username and password fields are 
> cleared and nothing seems to have happened.  Put in the username and 
> password a second time and the user is logged in.  Sometimes if I try to 
> log in as an unprivileged user, get put back to the login screen, then 
> login as a privileged user, I get logged in with diminished privileges. 

That sentence doesn't make much sense to me. Can you take another shot
at it?


> Would someone please tell me what's going on?  Maybe now would be a good 
> time to upgrade to 3.8?

RT 3.8 is much better than what came before, but we'd certainly not like
to have broken earlier releases with a security fix.

> -- 
> David Griffith
> dgriffi at cs.csubak.edu
> 
> A: Because it fouls the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing in e-mail?
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
> 
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
> 
> 
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
> Buy a copy at http://rtbook.bestpractical.com
> 

-- 



More information about the rt-users mailing list