[rt-users] 3.8.x serious security issue with mixing sessions
Leonid Mamchenkov
leonid at mamchenkov.net
Mon Oct 26 09:47:41 EDT 2009
Hi,
On Mon, Oct 26, 2009 at 14:58, Jesse Vincent <jesse at bestpractical.com> wrote:
> > User B was logged in on it's own computer at that time but with totally
> > different session id than three above (so I assume user A become user B with
> > some old session of user B).
>
> *nod*
>
> Has _anybody_ else been seeing this? With 3.8.6 or any other version of
> RT?
I saw this issue a few times on RT 3.8.2 . However it doesn't happen
often, and I can't think of a way to catch it. I believe, the issue
appeared after we upgraded from 3.6.5 .
--
Leonid Mamchenkov
More information about the rt-users
mailing list