[rt-users] 3.8.x serious security issue with mixing sessions

Leonid Mamchenkov leonid at mamchenkov.net
Mon Oct 26 09:47:41 EDT 2009


Hi,

On Mon, Oct 26, 2009 at 14:58, Jesse Vincent <jesse at bestpractical.com> wrote:
> > User B was logged in on it's own computer at that time but with totally
> > different session id than three above (so I assume user A become user B with
> > some old session of user B).
>
> *nod*
>
> Has _anybody_ else been seeing this? With 3.8.6 or any other version of
> RT?

I saw this issue a few times on RT 3.8.2 .  However it doesn't happen
often, and I can't think of a way to catch it.  I believe, the issue
appeared after we upgraded from 3.6.5 .

--
Leonid Mamchenkov



More information about the rt-users mailing list