[rt-users] RT_SID cookie not invalidated at logout
Thomas Sibley
trs at bestpractical.com
Thu Feb 21 16:28:39 EST 2013
On 02/20/2013 06:07 PM, Jenny Martin wrote:
> All our users authenticate using their LDAP credentials via
> RT-Authen-ExternalAuth plugin. I just tried creating a local user, and
> RT does the right thing when the local user logs in - it sends back a
> new cookie and removes the old session data. So the problem seems to be
> with the RT-Authen-ExternalAuth plugin.
>
> We recently upgraded from RT 4.0.4/ExternalAuth 0.9 to
> RT4.0.10/ExternalAuth0.13. I can't be sure the problem didn't exist
> before, but I didn't notice it.
I've dug into this. Are you by chance using Oracle for the RT database?
If not, are you explicitly setting the $WebSessionClass option to
Apache::Session::File?
Thomas
More information about the rt-users
mailing list