I use RT on several computers, and found that changes I made to RT-at-a-glance
on one were not seen when I re-logged in on another. The browser is presenting
the RT_SID cookie from a previous session, and RT then seems to use the cached
RT-at-a-glance data perhaps from /opt/rt4/var/session_data.
Also if I logout of RT and log in again as a different user, the new user is
authenticated correctly and gains the correct rights, but gets the (broken)
RT-at-a-glance settings of the previous user.
I am running RT 4.0.10 with mod_fcgid 2.3.6 and RT-Authen-ExternalAuth ldap
authentication.
I use RT on several computers, and found that changes I made to RT-at-a-glance
on one were not seen when I re-logged in on another. The browser is presenting
the RT_SID cookie from a previous session, and RT then seems to use the cached
RT-at-a-glance data perhaps from /opt/rt4/var/session_data.
The configuration of “RT at a glance” is indeed stored in the session.
This means that if you have two sessions, you’ll need to logout of the
second and log back in before you’ll see changes made by the first.
It’s generally a minor annoyance since the configuration of the RT at a
glance page doesn’t usually change very often.
RT invalidates the current session on logout, but of course it doesn’t
invalidate any other sessions the same user may have otherwise you’d be
logged out of your other devices.
Also if I logout of RT and log in again as a different user, the new user is
authenticated correctly and gains the correct rights, but gets the (broken)
RT-at-a-glance settings of the previous user.
This claim is very different and suggests that RT is mixing sessions
between users. I doubt that is happening; all previous cases of mixed
sessions between different users was caused by improper caching layers
at the webserver or network level. Do you have mod_cache enabled in Apache?
Please verify you can reproduce this reliably, and then submit the
reproduction steps. If possible, include a network trace (using a wire
sniffer or something like Firebug/Web inspector in your browser).
I am running RT 4.0.10 with mod_fcgid 2.3.6 and RT-Authen-ExternalAuth ldap
authentication.
Thanks for the RT version; it’s good to see someone running the latest
when reporting issues.
It looks like the session is not invalidated on logout. The cookie is
still valid in my browser, and the corresponding session is still
present in session-data.
The cookie being valid doesn’t matter. What matters is that RT
invalidates the session on the server-side, so it can’t be reused.
I attach an http trace and you can see that the logout response
explicitly sets the old cookie. I have disabled mod_cache and
mod_disk_cache. No web proxies in use.
Thank you for the trace. Please send your Apache config as well, and
keep replies on list for posterity.
Do you have any local customizations to RT?
All our users authenticate using their LDAP credentials via
RT-Authen-ExternalAuth plugin. I just tried creating a local user, and
RT does the right thing when the local user logs in - it sends back a
new cookie and removes the old session data. So the problem seems to be
with the RT-Authen-ExternalAuth plugin.
We recently upgraded from RT 4.0.4/ExternalAuth 0.9 to
RT4.0.10/ExternalAuth0.13. I can’t be sure the problem didn’t exist
before, but I didn’t notice it.
All our users authenticate using their LDAP credentials via
RT-Authen-ExternalAuth plugin. I just tried creating a local user, and
RT does the right thing when the local user logs in - it sends back a
new cookie and removes the old session data. So the problem seems to be
with the RT-Authen-ExternalAuth plugin.
We recently upgraded from RT 4.0.4/ExternalAuth 0.9 to
RT4.0.10/ExternalAuth0.13. I can’t be sure the problem didn’t exist
before, but I didn’t notice it.
I’ve dug into this. Are you by chance using Oracle for the RT database?
If not, are you explicitly setting the $WebSessionClass option to
Apache::Session::File?
Thomas
I’ve dug into this. Are you by chance using Oracle for the RT database?
If not, are you explicitly setting the $WebSessionClass option to
Apache::Session::File?
Thomas
Thanks for investigating. Yes, we are using Oracle. WebSessionClass is
default, which is commented out.
I’ve dug into this. Are you by chance using Oracle for the RT database?
If not, are you explicitly setting the $WebSessionClass option to
Apache::Session::File?
Thanks for investigating. Yes, we are using Oracle. WebSessionClass is
default, which is commented out.
On Oracle, RT defaults to using Apache::Session::File instead of storing
sessions in the database (for historical reasons). If you’re up for it,
try switching to Apache::Session::Oracle.
-
Install it: sudo cpan -i Apache::Session::Oracle
-
Add this line to your /opt/rt4/etc/RT_SiteConfig.pm:
Set($WebSessionClass, “Apache::Session::Oracle”);
-
Restart Apache
This should fix your problem. If you experience other issues, you can
revert back to the original behaviour by commenting out or removing the
line you added to RT_SiteConfig.pm above and restarting Apache again.
Let us know how that works.
Thomas