ANSWER: That logout bug on 3.6.0

I spent a while yesterday poking at the logout bug reported by many
folks against RT 3.6.0. Turns out it’s not one bug but several
related bugs. And only some of them are in RT :wink:

I believe I’ve got a fairly complete solution ready to go.

Issue 1: Apache::Session statement handle clobbering.

Inside our session handling library, Apache::Session, there’s
internal magic to cache database statement handles for increased
performance. This is great in traditional application design, but
falls over badly when, say, you have a redirect back to another page
on the application and that redirect happens before the session is
firmly disconnected. In RT 3.6, we mainstreamed an RT change which
automatically redirects you to a ticket page after a create, reply or
comment. We’ve changed RT’s behaviour to more agressively clear its
database connection, clear it before issuing the redirect header and
do a couple other small things that should help

Issue 2: Host canonicalization.

RT 3.6 uses absolute URLs for redirects. as well as in a couple other
places. As of 3.6.0, we’re redirecting to your “canonical” RT
hostname. RT cookies are tied to a hostname. If you can get to RT as and http://foo, this would also cause a new
authentication request.

Both of these issues are fixed in the current Subversion tree, which
will be released as RT 3.6.1pre1 later tonight. (Or tomorrow if I
don’t make it through before my flight).



PGP.sig (186 Bytes)