[rt-users] 3.8.x serious security issue with mixing sessions
Jesse Vincent
jesse at bestpractical.com
Fri Oct 23 13:41:21 EDT 2009
> No proxy. Also rt is served over https. The session is really changing user
> because when trying to do something that user A has access to I get permission
> denied due to B/C not having that access.
>
> Something else is going on.
* Can you capture the cookies on User A, User B, and User C's systems
for each HTTP hit to see if 1) they change and 2) they are the same?
A tool like the firefox developer toolbar is an easy way to do this.
* Did this also happen with 3.8.5? There's a change to session handling in 3.8.6.
More information about the rt-users
mailing list