[rt-users] 3.8.x serious security issue with mixing sessions

Jesse Vincent jesse at bestpractical.com
Fri Oct 23 13:41:21 EDT 2009


> No proxy. Also rt is served over https. The session is really changing user 
> because when trying to do something that user A has access to I get permission 
> denied due to B/C not having that access.
> 
> Something else is going on.

* Can you capture the cookies on User A, User B, and User C's systems
  for each HTTP hit to see if 1) they change and 2) they are the same?

  A tool like the firefox developer toolbar is an easy way to do this.

* Did this also happen with 3.8.5? There's a change to session handling in 3.8.6.



More information about the rt-users mailing list