[rt-users] 3.8.x serious security issue with mixing sessions

Arkadiusz Miskiewicz arekm at maven.pl
Thu Oct 29 10:18:33 EDT 2009


On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:

Today it happened to me. I suddently became user B in rt (opera). The real 
user B had his PC running with rt opened (firefox) with autorefresh every 2 
minutes set but he was away from his computer.

Now I verified his and mine RT_SID cookie and... I have his cookie aka we both 
use the same cookie.  I log session_id in rt.log at login, so I also checked 
that and had login for user B with that cookie logged in rt.log 20 minutes 
ago. sessions table in mysql contained that session_id of course. My initial 
cookie that I logged in as user A was also there in sessions table.

So at the end I and user B we both have active sessions as user B with the 
same cookie. I even did few steps through rt on both computers to see if 
session_id will change but no - we are still logged in and still use the same 
session_id/cookie.

(feature request: what I miss now is to make session contain IP address 
information for better security - so that session would work only from that 
one IP)
-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/



More information about the rt-users mailing list