[rt-users] 3.8.x serious security issue with mixing sessions

[Jesse Vincent]

On Thu, Oct 29, 2009 at 03:30:49PM +0100, Arkadiusz Miskiewicz wrote:
> On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
> > On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
> > 
> > Today it happened to me.
> 
> And now another story that happened just few minutes ago:
> 
> I was logged in as A with session_id/cookie let say "sessA". When doing 
> something in rt I suddenly got login screen, huh! Checked sessions table - 
> sessA was still there. So I changed cookie preferences in opera and set RT_SID 
> cookie back to "sessA", page refresh and... I'm as A, no need to log in!
> 
> Which looks like my session ("sessA") was still alive and working on rt side 
> but somehow rt passed different session id/cookie to opera and opera used it 
> which in the end caused login screen to appear.

"somehow" is what we need to get to the bottom of. To do that, I need
the HTTP logs including all headers from your client.  I need to see RT
serving you that cookie and to see the request it was on and what else
was in that request.  This is fairly far into "should not be possible"
and I need a bit more of a view into what bit of infrastructure is
causing it.