[rt-users] RT_SID cookie not invalidated at logout

Thomas Sibley trs at bestpractical.com
Wed Feb 20 18:43:34 EST 2013


On 02/20/2013 12:00 PM, Jenny Martin wrote:
> It looks like the session is not invalidated on logout.  The cookie is
> still valid in my browser, and the corresponding session is still
> present in session-data.

The cookie being valid doesn't matter.  What matters is that RT
invalidates the session on the server-side, so it can't be reused.

> I attach an http trace and you can see that the logout response
> explicitly sets the old cookie.  I have disabled mod_cache and
> mod_disk_cache.  No web proxies in use.

Thank you for the trace.  Please send your Apache config as well, and
keep replies on list for posterity.

Do you have any local customizations to RT?



More information about the rt-users mailing list