3.8.x serious security issue with mixing sessions

RT Users
1

I have a very serious security problem with 3.8 installation (3.8.6
currently).

Logged User sessions are being mixed up. One logged user is becoming another
logged user as seen by rt. It happens in different moments.

For example I’m user A and after clicking to view some ticket I become user B.

Or I’m logged in into user A but suddently I get monit about need to log in
and after loging in with user A data I’m becoming user C (in this case
“Successful login for …” isn’t logged into logs).

Tried using default settings (session keept in mysql) but also
Apache::Session::File. Problem happens in both cases. I’m using mod_perl to
run rt.

Happens with different browsers, firefox, opera.

Any ideas on how to debug it?

perl packages are in fresh versions:

apache-mod_perl-2.0.4-3.i686
openssl-tools-perl-0.9.8k-2.i686
perl-AI-DecisionTree-0.08-2.i686
perl-AnyData-0.10-4.noarch
perl-Apache-DBI-1.06-1.noarch
perl-Apache-Scoreboard-2.08-7.i686
perl-Apache-Session-1.88-1.noarch
perl-Apache-Session-Wrapper-0.33-1.noarch
perl-Apache-VMonitor-2.06-1.noarch
perl-AppConfig-1.66-1.noarch
perl-Authen-SASL-2.13-1.noarch
perl-base-5.10.1-2.i686
perl-Bit-Vector-7.1-1.i686
perl-BSD-Resource-1.2901-2.i686
perl-Cache-DB_File-0.2-7.noarch
perl-Cache-Simple-TimedExpiry-0.27-1.noarch
perl-Calendar-Simple-1.19-1.noarch
perl-Carp-Assert-0.20-2.noarch
perl-Carp-Assert-More-1.12-3.noarch
perl-Carp-Clan-6.00-1.noarch
perl-CGI-3.48-1.noarch
perl-CGI-LogCarp-1.12-10.noarch
perl-CGI-SpeedyCGI-2.22-15.i686
perl-Chart-PNGgraph-1.21-7.noarch
perl-Class-Accessor-0.34-1.noarch
perl-Class-Accessor-Chained-0.01-2.noarch
perl-Class-Container-0.12-2.noarch
perl-Class-Data-Inheritable-0.08-1.noarch
perl-Class-Inspector-1.24-1.noarch
perl-Class-MakeMethods-1.01-2.noarch
perl-Class-MethodMaker-2.11-2.i686
perl-Class-MixinFactory-0.92-2.noarch
perl-Class-ReturnValue-0.55-1.noarch
perl-Class-Singleton-1.4-1.noarch
perl-Clone-0.31-1.i686
perl-Config-Tiny-2.12-2.noarch
perl-Convert-ASN1-0.21-2.noarch
perl-Convert-Recode-1.04-2.noarch
perl-CSS-Squish-0.07-1.noarch
perl-Curses-1.26-2.i686
perl-Curses-Forms-1.997-1.noarch
perl-Curses-Widgets-1.997-5.noarch
perl-Data-Flow-0.09-3.noarch
perl-Data-ICal-0.13-5.noarch
perl-Data-Library-0.1-1.noarch
perl-Date-Calc-6.0-1.i686
perl-DateTime-0.50-1.i686
perl-DateTime-Event-ICal-0.09-2.noarch
perl-DateTime-Event-Recurrence-0.16-4.noarch
perl-DateTime-Format-ICal-0.09-1.noarch
perl-DateTime-Format-Mail-0.3001-1.noarch
perl-DateTime-Format-Strptime-1.0701-1.noarch
perl-DateTime-Format-W3CDTF-0.04-1.noarch
perl-DateTime-Locale-0.44-1.noarch
perl-DateTime-Set-0.25-3.noarch
perl-DateTime-TimeZone-0.72-1.noarch
perl-DBD-AnyData-0.09-1.noarch
perl-DBD-Chart-0.82-2.noarch
perl-DBD-CSV-0.22-3.noarch
perl-DBD-LDAP-0.10-1.i686
perl-DBD-mysql-4.013-1.i686
perl-DBD-ODBC-1.23-1.i686
perl-DBD-Pg-2.15.1-3.i686
perl-DBD-SQLite-1.25-1.i686
perl-DBD-Sybase-1.09-2.i686
perl-DBD-XBase-0.241-3.noarch
perl-DB_File-1.820-2.i686
perl-DBI-1.608-1.i686
perl-DBI-ProfileDumper-Apache-1.608-1.i686
perl-DBIx-Abstract-1.006-2.noarch
perl-DBIx-AbstractLite-0.02-5.noarch
perl-DBIx-AnyDBD-2.01-4.noarch
perl-DBIx-BLOB-Handle-0.2-6.noarch
perl-DBIx-CGI-0.06-9.noarch
perl-DBIx-ContextualFetch-1.03-2.noarch
perl-DBIx-Copy-0.02-5.noarch
perl-DBIx-Cursor-0.14-4.noarch
perl-DBIx-DataLookup-0.03-5.noarch
perl-DBIx-DataSource-0.02-5.noarch
perl-DBIx-DBSchema-0.36-1.noarch
perl-DBIx-Easy-1.40-2.noarch
perl-DBIx-FetchLoop-0.41-1.noarch
perl-DBIx-HTMLView-0.9-7.noarch
perl-DBIx-Librarian-0.6-2.noarch
perl-DBIx-Recordset-0.26-2.noarch
perl-DBIx-SearchBuilder-1.56-1.noarch
perl-DBIx-SQLEngine-0.93-3.noarch
perl-DBIx-Table-0.04-5.noarch
perl-DBIx-TableHash-1.04-4.noarch
perl-DBIx-TextIndex-0.27-2.i686
perl-DBIx-XML_RDB-0.05-8.noarch
perl-devel-5.10.1-2.i686
perl-Devel-StackTrace-1.22-1.noarch
perl-Devel-Symdump-2.0602-2.noarch
perl-Digest-HMAC-1.01-12.noarch
perl-Digest-SHA1-2.11-3.i686
perl-dirs-2.1-18.i686
perl-Email-Abstract-3.001-1.noarch
perl-Email-Address-1.889-1.noarch
perl-Email-Date-Format-1.002-1.noarch
perl-Email-Simple-2.005-1.noarch
perl-Encode-2.37-1.i686
perl-Error-0.15-7.noarch
perl-Error-Dumb-0.02-4.noarch
perl-Exception-Class-1.26-1.noarch
perl-ExtUtils-MakeMaker-6.54-1.noarch
perl-FCGI-0.67-7.i686
perl-File-Find-Rule-0.30-2.noarch
perl-File-ShareDir-1.00-2.noarch
perl-File-Slurp-9999.12-1.noarch
perl-File-Slurp-Tree-1.24-1.noarch
perl-Font-AFM-1.19-3.noarch
perl-GD-2.44-1.i686
perl-GD-Graph-1.4308-5.noarch
perl-GD-TextUtil-0.86-3.noarch
perl-GnuPG-Interface-0.36-1.noarch
perl-GraphViz-2.02-2.noarch
perl-GSSAPI-0.26-4.i686
perl-GTop-0.15-3.i686
perl-Hook-LexWrap-0.20-1.noarch
perl-HTML-Format-2.04-2.noarch
perl-HTML-Mason-1.42-1.noarch
perl-HTML-Parser-3.62-1.i686
perl-HTML-RewriteAttributes-0.03-1.noarch
perl-HTML-Scrubber-0.08-2.noarch
perl-HTML-Stream-1.60-1.noarch
perl-HTML-Tagset-3.20-1.noarch
perl-HTML-Template-2.9-1.noarch
perl-HTML-Template-Extension-0.26-1.noarch
perl-HTML-Tree-3.23-1.noarch
perl-HTTP-Response-Encoding-0.06-1.noarch
perl-HTTP-Server-Simple-0.41-1.noarch
perl-HTTP-Server-Simple-Mason-0.13-1.noarch
perl-IO-Socket-INET6-2.56-1.noarch
perl-IO-Socket-SSL-1.31-1.noarch
perl-IO-String-1.08-2.noarch
perl-IO-stringy-2.110-2.noarch
perl-IPC-Run-0.84-1.noarch
perl-ldap-0.39-1.noarch
perl-libapreq2-2.12-1.i686
perl-libs-5.10.1-2.i686
perl-libwww-5.833-1.noarch
perl-List-MoreUtils-0.22-4.i686
perl-Locale-Maketext-1.13-2.noarch
perl-Locale-Maketext-Fuzzy-0.10-1.noarch
perl-Locale-Maketext-Lexicon-0.77-1.noarch
perl-Log-Channel-0.7-2.noarch
perl-Log-Dispatch-2.26-1.noarch
perl-Log-Dispatch-Config-1.02-1.noarch
perl-LWP-Parallel-2.57-2.noarch
perl-Mail-GnuPG-0.15-1.noarch
perl-Mail-POP3Client-2.18-1.noarch
perl-Mail-SpamAssassin-3.2.5-2.i686
perl-Mail-SPF-Query-1.999.1-2.noarch
perl-MailTools-2.04-1.noarch
perl-MasonX-Interp-WithCallbacks-1.17-1.noarch
perl-MasonX-Lexer-MSP-0.11-2.noarch
perl-MasonX-Profiler-0.06-2.noarch
perl-MasonX-Request-ExtendedCompRoot-0.03-2.noarch
perl-MasonX-Request-ExtendedCompRoot-WithApacheSession-0.03-1.noarch
perl-MasonX-Request-HTMLTemplate-0.05-1.noarch
perl-MasonX-Request-WithApacheSession-0.30-1.noarch
perl-MasonX-Resolver-CVS-0.02-1.noarch
perl-MIME-Base64-3.07-3.i686
perl-MIME-Explode-0.38-2.i686
perl-MIME-Fast-1.6-2.i686
perl-MIME-Lite-3.027-1.noarch
perl-MIME-tools-5.427-1.noarch
perl-MIME-Types-1.28-1.noarch
perl-mod_perl-2.0.4-3.i686
perl-modules-5.10.1-2.i686
perl-Module-Versions-Report-1.06-1.noarch
perl-Net-CIDR-Lite-0.20-2.noarch
perl-Net-Daemon-0.43-2.noarch
perl-Net-DNS-0.65-2.i686
perl-Net-IP-1.25-2.noarch
perl-Net-Jabber-2.0-2.noarch
perl-Net-Server-0.97-3.noarch
perl-Net-SSLeay-1.30-5.i686
perl-Net-XMPP-1.02-1.noarch
perl-Number-Compare-0.01-4.noarch
perl-Params-CallbackRequest-1.19-1.noarch
perl-Params-Util-1.00-2.i686
perl-Params-Validate-0.91-2.i686
perl-parent-0.223-1.noarch
perl-Parse-RecDescent-1.962.2-1.noarch
perl-PerlIO-eol-0.14-3.i686
perl-PlRPC-0.2020-1.noarch
perl-Pod-Escapes-1.04-2.noarch
perl-Pod-Tree-1.16-1.noarch
perl-POE-1.268-1.noarch
perl-PPI-1.206-1.noarch
perl-Regexp-Common-2.122-1.noarch
perl-relative-0.04-1.noarch
perl-RT-Client-REST-0.37-1.noarch
perl-Scalar-List-Utils-1.21-1.i686
perl-Set-Infinite-0.63-1.noarch
perl-Socket6-0.23-1.i686
perl-SQL-Statement-1.15-2.noarch
perl-Sys-Hostname-Long-1.4-2.i686
perl-Template-Toolkit-2.22-1.i686
perl-Term-ReadKey-2.30-5.i686
perl-Test-Email-0.07-2.noarch
perl-Test-HTTP-Server-Simple-0.03-1.noarch
perl-Test-HTTP-Server-Simple-StashWarnings-0.03-2.noarch
perl-Test-LongString-0.11-1.noarch
perl-Test-WWW-Mechanize-1.24-1.noarch
perl-Text-Autoformat-1.666.0-1.noarch
perl-Text-CSV_XS-0.67-1.i686
perl-Text-Glob-0.08-1.noarch
perl-Text-Quoted-2.05-1.noarch
perl-Text-Reform-1.20-1.noarch
perl-Text-Template-1.45-1.noarch
perl-Text-vFile-asData-0.05-2.noarch
perl-Text-WikiFormat-0.79-2.noarch
perl-Text-Wrapper-1.02-1.noarch
perl-Tie-Watch-1.2-3.noarch
perl-TimeDate-1.19-1.noarch
perl-Time-modules-2006.0814-1.noarch
perl-Tk-804.028-5.i686
perl-tools-pod-5.10.1-2.i686
perl-Tree-DAG_Node-1.06-1.noarch
perl-Tree-MultiNode-1.0.10-2.noarch
perl-Tree-Nary-1.3-2.noarch
perl-Tree-RedBlack-0.5-1.noarch
perl-Tree-Simple-1.18-1.noarch
perl-Tree-Simple-VisitorFactory-0.10-2.noarch
perl-Tree-Trie-1.5-1.noarch
perl-UNIVERSAL-require-0.11-1.noarch
perl-URI-1.40-1.noarch
perl-Want-0.18-2.i686
perl-WWW-Mechanize-1.60-1.noarch
perl-XML-NamespaceSupport-1.10-1.noarch
perl-XML-Parser-2.36-5.i686
perl-XML-RSS-1.46-1.noarch
perl-XML-SAX-0.96-1.noarch
perl-XML-Simple-2.18-2.noarch
perl-XML-Stream-1.22-3.noarch
perl-YAML-0.68-1.noarch

config:

grep -v ‘^#’ /etc/rt3/RT_SiteConfig.pm | grep -v ‘^$’

Set($rtname, ‘domena.pl’);
Set($EmailSubjectTagRegex, qr/(?:bla1.eu|bla2.pl)/i );
Set($Organization , “Something”);
Set($Timezone , ‘Europe/Warsaw’);
Set($DatabaseUser , ‘someuser’);
Set($DatabasePassword , ‘somepass’);
Set($DatabaseName , ‘rt3’);
Set($OwnerEmail , ‘sysadmin@ble3.pl’);
Set($LoopsToRTOwner , 0);
Set($StoreLoops , 0);
Set($MaxAttachmentSize , 10000000);
Set($RTAddressRegexp , ‘^rt@rt.ble.pl$’);
Set($CanonicalizeOnCreate , 0);
Set($CorrespondAddress , ‘sysadmin@ble3.pl’);
Set($CommentAddress , ‘sysadmin@ble3.pl’);
Set($MailCommand , ‘sendmailpipe’);
Set($SendmailArguments , “-oi -t”);
Set($SendmailBounceArguments , ‘-f “<>”’);
Set($UseFriendlyFromLine , 1);
Set($FriendlyFromLineFormat , “"%s via RT" <%s>”);
Set($UseFriendlyToLine , 1);
Set($NotifyActor, 0);
Set($RecordOutgoingEmail, 1);
Set($LogToSyslog , ‘error’);
Set($LogToScreen , ‘error’);
Set($LogToFile , ‘debug’);
Set($LogDir, ‘/var/log’);
Set($LogToFileNamed , “rt.log”); #log to rt.log
Set($WebPath , “”);
Set($WebPort , 443);
Set($WebBaseURL , “https://rt.ble.eu”);
Set($WebURL , $WebBaseURL . $WebPath . “/”);
Set($WebImagesURL , $WebPath . “/NoAuth/images/”);
Set($LogoURL , $WebImagesURL . “bplogo.gif”);
Set($MessageBoxRichText, 0);
Set($MessageBoxWidth , 120);
Set($MessageBoxHeight, 25);
Set($WikiImplicitLinks, 0);
Set($MaxInlineBody, 15728640);
Set($DefaultSummaryRows, 50);
Set($OldestTransactionsFirst, ‘1’);
Set($ShowTransactionImages, 1);
Set($HomepageComponents, [qw(QuickCreate Quicksearch MyAdminQueues
MySupportQueues MyReminders RefreshHomepage)]);
@EmailInputEncodings = qw(utf-8 iso-8859-2 iso-8859-1 us-ascii) unless
(@EmailInputEncodings);
Set($EmailOutputEncoding , ‘utf-8’);
Set($DateDayBeforeMonth , 1);
Set($AmbiguousDayInPast , 1);
Set($TrustHTMLAttachments, 1);
Set(%GnuPGOptions,
homedir => ‘/var/lib/rt-gpg’,
);
Set($AutoLogoff, 180);
Set($WebSecureCookies, 1);
1;

part of vhost config:
DocumentRoot /usr/share/rt3/html
Alias /NoAuth/images/ /usr/share/rt3/html/NoAuth/images/
Alias /error/ “/home/services/httpd/error/”
AddDefaultCharset UTF-8

PerlModule Apache2::compat

PerlModule Apache::DBI
PerlRequire /usr/bin/webmux.pl

<Location /error>
</Location>      

<Location />
    AuthUserFile /somefile
    AuthGroupFile /dev/null                     
    AuthName Strefa-admin                       
    AuthType Basic                              
    AddDefaultCharset UTF-8                     
    Options ExecCGI

    SetHandler perl-script
    PerlHandler RT::Mason
</Location>

ps. I didn’t have this problem for some time but it started to happen again :confused:

Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/

2

I have a very serious security problem with 3.8 installation (3.8.6
currently).

Logged User sessions are being mixed up. One logged user is becoming another
logged user as seen by rt. It happens in different moments.

For example I’m user A and after clicking to view some ticket I become user B.

Or I’m logged in into user A but suddently I get monit about need to log in
and after loging in with user A data I’m becoming user C (in this case
“Successful login for …” isn’t logged into logs).

Tried using default settings (session keept in mysql) but also
Apache::Session::File. Problem happens in both cases. I’m using mod_perl to
run rt.

I don’t think I’ve ever seen this wtih RT, but I have seen it with other applications

  • the cause is usually an HTTP proxy that’s caching RT’s pages. Do you
    have any sort of HTTP proxy between your browsers and your server?

-jesse

3

I have a very serious security problem with 3.8 installation (3.8.6
currently).

Logged User sessions are being mixed up. One logged user is becoming
another logged user as seen by rt. It happens in different moments.

For example I’m user A and after clicking to view some ticket I become
user B.

Or I’m logged in into user A but suddently I get monit about need to log
in and after loging in with user A data I’m becoming user C (in this case
“Successful login for …” isn’t logged into logs).

Tried using default settings (session keept in mysql) but also
Apache::Session::File. Problem happens in both cases. I’m using mod_perl
to run rt.

I don’t think I’ve ever seen this wtih RT, but I have seen it with other
applications - the cause is usually an HTTP proxy that’s caching RT’s
pages. Do you have any sort of HTTP proxy between your browsers and your
server?

No proxy. Also rt is served over https. The session is really changing user
because when trying to do something that user A has access to I get permission
denied due to B/C not having that access.

Something else is going on.

-jesse

Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/

4

No proxy. Also rt is served over https. The session is really changing user
because when trying to do something that user A has access to I get permission
denied due to B/C not having that access.

Something else is going on.

  • Can you capture the cookies on User A, User B, and User C’s systems
    for each HTTP hit to see if 1) they change and 2) they are the same?

    A tool like the firefox developer toolbar is an easy way to do this.

  • Did this also happen with 3.8.5? There’s a change to session handling in 3.8.6.

5

No proxy. Also rt is served over https. The session is really changing
user because when trying to do something that user A has access to I get
permission denied due to B/C not having that access.

Something else is going on.

  • Can you capture the cookies on User A, User B, and User C’s systems
    for each HTTP hit to see if 1) they change and 2) they are the same?

    A tool like the firefox developer toolbar is an easy way to do this.

That will be hard to do but will try to get some info (in reality it happens
here for different users which I don’t control but it also happened for me and
my coworker).

  • Did this also happen with 3.8.5?

I had this in 3.6.6, whatever was current in march 2008, april 2008 (looking
at irc logs on when I tried to get some help at #rt), 3.8.2 and now 3.8.6.
Maybe other too, don’t remember versions.

Note that the issue was gone for some time (3.8.5 for sure, 3.8.4, too afaik)
but it’s back after I upgraded to 3.8.6. I also upgraded system, so some perl*
packages were updated, too.

Now why it was gone for some time it’s unknown thing.

There’s a change to session handling in
3.8.6.

Which git commit is that?

Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/

6

A tool like the firefox developer toolbar is an easy way to do this.
HTTPFox might be a good solution too. You can simply tell it to start tracking
as you use RT, and stop it once you encounter the problem. Examine the
results, debug, and or sanitize and share.

Everyone experiencing the problem doesn’t have to install the add-on,
just someone who has the issue.
Cambridge Energy Alliance: Save money. Save the planet.

7

Arkadiusz Miskiewicz wrote:

I have a very serious security problem with 3.8 installation (3.8.6
currently).

Logged User sessions are being mixed up. One logged user is becoming another
logged user as seen by rt. It happens in different moments.

Are you using HTTP authentication or RT’s built-in login page? If the
former, it’s likely a leaky apache process, squid or auth_cache problem
(not RT); if the latter, then most likely a caching issue or possibly RT
bug.

Matthew Keller
Information Security Officer
Computing & Technology Services
State University of New York @ Potsdam
Potsdam, NY, USA

8

I had this in 3.6.6, whatever was current in march 2008, april 2008 (looking
at irc logs on when I tried to get some help at #rt), 3.8.2 and now 3.8.6.
Maybe other too, don’t remember versions.

Note that the issue was gone for some time (3.8.5 for sure, 3.8.4, too afaik)
but it’s back after I upgraded to 3.8.6. I also upgraded system, so some perl*
packages were updated, too.

Now why it was gone for some time it’s unknown thing.

There’s a change to session handling in
3.8.6.

Which git commit is that?

Far more than a single commit. We significantly overhauled all the logic
that used to be in the autohandler.

But, if this is something you’ve seen before and not a “new” issue, I’d
not point the finger at the refactoring just yet.

Once you are logged in and see RT’s home screen, does your session
change as you refresh and “become” someone else?

How many RT instances do you have in this one apache?

Which of the apache multiprocess models are you using? Maybe there’s
something weird going on with multithreading…

If you switch to fastcgi does this go away?

Are you using apache authentication with RT?

Can you send the contents of the Configuration->Global->Tools->System Configuration page?

Have you made any local changes?

9

A tool like the firefox developer toolbar is an easy way to do this.

HTTPFox might be a good solution too. You can simply tell it to start
tracking as you use RT, and stop it once you encounter the problem.
Examine the results, debug, and or sanitize and share.

Everyone experiencing the problem doesn’t have to install the add-on,
just someone who has the issue.

Can I log session id here somehow?

lib/RT/Interface/Web.pm:
$RT::Logger->info(“Successful login for @{[$ARGS->{user}]} from
$ENV{‘REMOTE_ADDR’}”);

So far it’s like this:

  • user logged as A
  • suddently he becomes user B
  • he logged off and on as A again

httpfox shows three session ids but I found only last one in sessions table
and it was user A session.

User B was logged in on it’s own computer at that time but with totally
different session id than three above (so I assume user A become user B with
some old session of user B).

Will try to get more information…
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/

10

A tool like the firefox developer toolbar is an easy way to do this.

HTTPFox might be a good solution too. You can simply tell it to start
tracking as you use RT, and stop it once you encounter the problem.
Examine the results, debug, and or sanitize and share.

Everyone experiencing the problem doesn’t have to install the add-on,
just someone who has the issue.

Can I log session id here somehow?

lib/RT/Interface/Web.pm:
$RT::Logger->info(“Successful login for @{[$ARGS->{user}]} from
$ENV{‘REMOTE_ADDR’}”);

There are two bits you want to log:

* $session{_session_id}	
* the session cookie the user sent:  in 3.8.6, look at LoadSessionFromCookie

So far it’s like this:

  • user logged as A
  • suddently he becomes user B
  • he logged off and on as A again

httpfox shows three session ids but I found only last one in sessions table
and it was user A session.

Logging out should be clearing that B session, so that bit isn’t too
surprising…

User B was logged in on it’s own computer at that time but with totally
different session id than three above (so I assume user A become user B with
some old session of user B).

nod

Has anybody else been seeing this? With 3.8.6 or any other version of
RT?

Jesse

11

Hi,On Mon, Oct 26, 2009 at 14:58, Jesse Vincent jesse@bestpractical.com wrote:

User B was logged in on it’s own computer at that time but with totally
different session id than three above (so I assume user A become user B with
some old session of user B).

nod

Has anybody else been seeing this? With 3.8.6 or any other version of
RT?

I saw this issue a few times on RT 3.8.2 . However it doesn’t happen
often, and I can’t think of a way to catch it. I believe, the issue
appeared after we upgraded from 3.6.5 .

Leonid Mamchenkov

12

A tool like the firefox developer toolbar is an easy way to do
this.

HTTPFox might be a good solution too. You can simply tell it to start
tracking as you use RT, and stop it once you encounter the problem.
Examine the results, debug, and or sanitize and share.

Everyone experiencing the problem doesn’t have to install the add-on,
just someone who has the issue.

Can I log session id here somehow?

lib/RT/Interface/Web.pm:
$RT::Logger->info(“Successful login for @{[$ARGS->{user}]} from
$ENV{‘REMOTE_ADDR’}”);

There are two bits you want to log:

  • $session{_session_id}
  • the session cookie the user sent: in 3.8.6, look at
    LoadSessionFromCookie

So far it’s like this:

  • user logged as A
  • suddently he becomes user B
  • he logged off and on as A again

httpfox shows three session ids but I found only last one in sessions
table and it was user A session.

Logging out should be clearing that B session, so that bit isn’t too
surprising…

Still trying to gather more info.

What’s the correct place for logging information about which session has been
logged out (forced) or logged out via web interface?

Added this to _ForceLogout but it seems to be wrong since it logs some very
different session_ids…

sub _ForceLogout {
my $sid = $HTML::Mason::Commands::session{‘_session_id’};
$RT::Logger->info(“_ForceLogout session id $sid”);

Jesse

Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/

13

Today it happened to me. I suddently became user B in rt (opera). The real
user B had his PC running with rt opened (firefox) with autorefresh every 2
minutes set but he was away from his computer.

Now I verified his and mine RT_SID cookie and… I have his cookie aka we both
use the same cookie. I log session_id in rt.log at login, so I also checked
that and had login for user B with that cookie logged in rt.log 20 minutes
ago. sessions table in mysql contained that session_id of course. My initial
cookie that I logged in as user A was also there in sessions table.

So at the end I and user B we both have active sessions as user B with the
same cookie. I even did few steps through rt on both computers to see if
session_id will change but no - we are still logged in and still use the same
session_id/cookie.

(feature request: what I miss now is to make session contain IP address
information for better security - so that session would work only from that
one IP)
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/

14

Today it happened to me. I suddently became user B in rt (opera). The real
user B had his PC running with rt opened (firefox) with autorefresh every 2
minutes set but he was away from his computer.

I really need to see protocol-level HTTP logs for both of these
sessions. I need to see when/if RT handed you his cookie.

Now I verified his and mine RT_SID cookie and… I have his cookie aka we both
use the same cookie. I log session_id in rt.log at login, so I also checked
that and had login for user B with that cookie logged in rt.log 20 minutes
ago. sessions table in mysql contained that session_id of course. My initial
cookie that I logged in as user A was also there in sessions table.

So at the end I and user B we both have active sessions as user B with the
same cookie. I even did few steps through rt on both computers to see if
session_id will change but no - we are still logged in and still use the same
session_id/cookie.

(feature request: what I miss now is to make session contain IP address
information for better security - so that session would work only from that
one IP)

As an optional feature, I’d love a patch. But it has to default to off.
Too many organizations have an array of outgoing proxy IP addresses.

15

Today it happened to me.

And now another story that happened just few minutes ago:

I was logged in as A with session_id/cookie let say “sessA”. When doing
something in rt I suddenly got login screen, huh! Checked sessions table -
sessA was still there. So I changed cookie preferences in opera and set RT_SID
cookie back to “sessA”, page refresh and… I’m as A, no need to log in!

Which looks like my session (“sessA”) was still alive and working on rt side
but somehow rt passed different session id/cookie to opera and opera used it
which in the end caused login screen to appear.

Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/

16

Today it happened to me. I suddently became user B in rt (opera). The
real user B had his PC running with rt opened (firefox) with autorefresh
every 2 minutes set but he was away from his computer.

I really need to see protocol-level HTTP logs for both of these
sessions. I need to see when/if RT handed you his cookie.

One firefox user here has httpfox [1] running but so far he didn’t have any
problem for last 2 days :frowning:

Our rt is running over ssl, so sniffing at wire level also not possible (or at
least I don’t know any working linux sniffer that could to that provided I
have key/cert)

Trying to get that.

[1] it sucks a little as it doesn’t have “save log” capability
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/

17

Today it happened to me.

And now another story that happened just few minutes ago:

I was logged in as A with session_id/cookie let say “sessA”. When doing
something in rt I suddenly got login screen, huh! Checked sessions table -
sessA was still there. So I changed cookie preferences in opera and set RT_SID
cookie back to “sessA”, page refresh and… I’m as A, no need to log in!

Which looks like my session (“sessA”) was still alive and working on rt side
but somehow rt passed different session id/cookie to opera and opera used it
which in the end caused login screen to appear.

“somehow” is what we need to get to the bottom of. To do that, I need
the HTTP logs including all headers from your client. I need to see RT
serving you that cookie and to see the request it was on and what else
was in that request. This is fairly far into “should not be possible”
and I need a bit more of a view into what bit of infrastructure is
causing it.

18

[1] it sucks a little as it doesn’t have “save log” capability
Right click “Copy all rows”

19

[1] it sucks a little as it doesn’t have “save log” capability

Right click “Copy all rows”

That doesn’t copy headers data, cookies etc

Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/

20

I don’t think I’ve ever seen this wtih RT, but I have seen it with other
applications - the cause is usually an HTTP proxy that’s caching RT’s
pages. Do you have any sort of HTTP proxy between your browsers and your
server?

No proxy. Also rt is served over https.

There is no proxy but apache serving rt had mod_cache module installed which
turns out to be caching cookies!

Nightmare to track. Uninstalled and so far everything is working nicely.

Now the question is can anything be done on rt level to prevent mod_cache from
cacheing such stuff and actually creating security issues?

ps. issues.apache.org is full of weird mod_cache related things

-jesse

Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/