[rt-users] RT_SID cookie not invalidated at logout

Thomas Sibley trs at bestpractical.com
Thu Feb 21 16:28:39 EST 2013

On 02/20/2013 06:07 PM, Jenny Martin wrote:
> All our users authenticate using their LDAP credentials via
> RT-Authen-ExternalAuth plugin.  I just tried creating a local user, and
> RT does the right thing when the local user logs in - it sends back a
> new cookie and removes the old session data.  So the problem seems to be
> with the RT-Authen-ExternalAuth plugin.
> We recently upgraded from RT 4.0.4/ExternalAuth 0.9 to
> RT4.0.10/ExternalAuth0.13.  I can't be sure the problem didn't exist
> before, but I didn't notice it.

I've dug into this.  Are you by chance using Oracle for the RT database?
 If not, are you explicitly setting the $WebSessionClass option to


More information about the rt-users mailing list