[rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
Arkadiusz Miskiewicz
arekm at maven.pl
Tue Nov 3 02:49:47 EST 2009
On Monday 02 of November 2009, Jesse Vincent wrote:
> > Cache: no-cache but that will prevent caching at all. Seem to be no way
> > to prevent caching cookies from application side.
>
> What's the current state of browser in-memory/on-disk caching with the
> Cache: no-cache header?
>
> The attached patch against 3.8.6 might be the right solution for you. I'd
> consider making this change to RT if you can report back and tell me if
> it does the right thing for you:
This patch doesn't solve the issue. People still get mixed sessions (test was
done after deleting all sessions from sessions table and restarting apache).
> diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
> index b82b638..dccf829 100755
> --- a/lib/RT/Interface/Web.pm
> +++ b/lib/RT/Interface/Web.pm
> @@ -279,7 +279,6 @@ sub MaybeShowNoAuthPage {
> return unless $m->base_comp->path =~
> RT->Config->Get('WebNoAuthRegex');
>
> # If it's a noauth file, don't ask for auth.
> - SendSessionCookie();
> $m->comp( { base_comp => $m->request_comp }, $m->fetch_next, %$ARGS );
> $m->abort;
> }
>
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
More information about the rt-users
mailing list