[rt-users] 3.8.x serious security issue with mixing sessions
Arkadiusz Miskiewicz
arekm at maven.pl
Thu Oct 29 10:18:33 EDT 2009
On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
Today it happened to me. I suddently became user B in rt (opera). The real
user B had his PC running with rt opened (firefox) with autorefresh every 2
minutes set but he was away from his computer.
Now I verified his and mine RT_SID cookie and... I have his cookie aka we both
use the same cookie. I log session_id in rt.log at login, so I also checked
that and had login for user B with that cookie logged in rt.log 20 minutes
ago. sessions table in mysql contained that session_id of course. My initial
cookie that I logged in as user A was also there in sessions table.
So at the end I and user B we both have active sessions as user B with the
same cookie. I even did few steps through rt on both computers to see if
session_id will change but no - we are still logged in and still use the same
session_id/cookie.
(feature request: what I miss now is to make session contain IP address
information for better security - so that session would work only from that
one IP)
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
More information about the rt-users
mailing list