SelfService users need to login twice

Hi,

I am investigating a problem with the SelfService login page where
unprivileged users must login two times in a row for it to succeed.
I found this thread:

http://www.gossamer-threads.com/lists/rt/users/90794

and I think that my issue is the same. Unfortunately, I cannot
find the original patch for 3.8.0 - 3.8.5 that I applied. Does
anyone have a copy of the patch or an idea on how to debug this.

Regards,
Ken

Hi,

I am investigating a problem with the SelfService login page where
unprivileged users must login two times in a row for it to succeed.
I found this thread:

http://www.gossamer-threads.com/lists/rt/users/90794

and I think that my issue is the same. Unfortunately, I cannot
find the original patch for 3.8.0 - 3.8.5 that I applied. Does
anyone have a copy of the patch or an idea on how to debug this.

Regards,
Ken

I had to make the same change to:

share/html/Elements/SetupSessionCookie

as described in the thread to eliminate the double login.
Like the original thread, I am curious if there is a problem
with this fix or a better one? I am running 3.8.5.

Regards,
Ken

Hi,

I am investigating a problem with the SelfService login page where
unprivileged users must login two times in a row for it to succeed.
I found this thread:

http://www.gossamer-threads.com/lists/rt/users/90794

and I think that my issue is the same. Unfortunately, I cannot
find the original patch for 3.8.0 - 3.8.5 that I applied. Does
anyone have a copy of the patch or an idea on how to debug this.

Regards,
Ken

I had to make the same change to:

share/html/Elements/SetupSessionCookie

as described in the thread to eliminate the double login.
Like the original thread, I am curious if there is a problem
with this fix or a better one? I am running 3.8.5.

I’m not sure which fix you’re referencing, since my sha1 in that
thread was for the 3.6 fix, which was a backport of
84022062cec889f1cabf1d4a10e28b7b66addf23 from 3.8

This was a fix for users going to http://rt.server/ and logging in and
losing the cookie when being redirected by mod_perl to
http://rt.server/SelfService/

Again, not sure what fix you applied, so it’s hard to comment further.

-kevin

Hi,

I am investigating a problem with the SelfService login page where
unprivileged users must login two times in a row for it to succeed.
I found this thread:

http://www.gossamer-threads.com/lists/rt/users/90794

and I think that my issue is the same. Unfortunately, I cannot
find the original patch for 3.8.0 - 3.8.5 that I applied. Does
anyone have a copy of the patch or an idea on how to debug this.

Regards,
Ken

I had to make the same change to:

share/html/Elements/SetupSessionCookie

as described in the thread to eliminate the double login.
Like the original thread, I am curious if there is a problem
with this fix or a better one? I am running 3.8.5.

I’m not sure which fix you’re referencing, since my sha1 in that
thread was for the 3.6 fix, which was a backport of
84022062cec889f1cabf1d4a10e28b7b66addf23 from 3.8

This was a fix for users going to http://rt.server/ and logging in and
losing the cookie when being redirected by mod_perl to
http://rt.server/SelfService/

Again, not sure what fix you applied, so it’s hard to comment further.

-kevin

It was the 3.8 session fixation patch.

Ken

cat rt-3.8-session_fixation.patch
— …/rt-3.8.5/share/html/Elements/SetupSessionCookie 2009-09-15 02:23:22.000000000 +0900
+++ share/html/Elements/SetupSessionCookie 2009-09-30 08:17:57.000000000 +0900
@@ -53,11 +53,17 @@
my %cookies = CGI::Cookie->fetch;
my $cookiename = “RT_SID_”. RT->Config->Get(‘rtname’);
$cookiename .= “.”. $ENV{‘SERVER_PORT’} if $ENV{‘SERVER_PORT’};
-$SessionCookie ||= ( $cookies{$cookiename} ? $cookies{$cookiename}->value : undef ),
+$SessionCookie = ( $cookies{$cookiename} ? $cookies{$cookiename}->value : undef );

tie %session, ‘RT::Interface::Web::Session’, $SessionCookie;
undef $cookies{$cookiename} unless $SessionCookie && $session{’_session_id’} eq $SessionCookie;

+unless ($session{‘CurrentUser’} && $session{CurrentUser}->id) {

  • tied(%session)->delete;
  • undef $cookies{$cookiename};
  • tie %session, ‘RT::Interface::Web::Session’, undef;
    +}
    if ( int RT->Config->Get(‘AutoLogoff’) ) {
    my $now = int(time/60);
    my $last_update = $session{’_session_last_update’} || 0;

Hi,

I am investigating a problem with the SelfService login page where
unprivileged users must login two times in a row for it to succeed.
I found this thread:

http://www.gossamer-threads.com/lists/rt/users/90794

and I think that my issue is the same. Unfortunately, I cannot
find the original patch for 3.8.0 - 3.8.5 that I applied. Does
anyone have a copy of the patch or an idea on how to debug this.

Regards,
Ken

I had to make the same change to:

share/html/Elements/SetupSessionCookie

as described in the thread to eliminate the double login.
Like the original thread, I am curious if there is a problem
with this fix or a better one? I am running 3.8.5.

I’m not sure which fix you’re referencing, since my sha1 in that
thread was for the 3.6 fix, which was a backport of
84022062cec889f1cabf1d4a10e28b7b66addf23 from 3.8

This was a fix for users going to http://rt.server/ and logging in and
losing the cookie when being redirected by mod_perl to
http://rt.server/SelfService/

Again, not sure what fix you applied, so it’s hard to comment further.

-kevin

It was the 3.8 session fixation patch.

So, that fixed the double login or caused it?

-kevin

Hi,

I am investigating a problem with the SelfService login page where
unprivileged users must login two times in a row for it to succeed.
I found this thread:

http://www.gossamer-threads.com/lists/rt/users/90794

and I think that my issue is the same. Unfortunately, I cannot
find the original patch for 3.8.0 - 3.8.5 that I applied. Does
anyone have a copy of the patch or an idea on how to debug this.

Regards,
Ken

I had to make the same change to:

share/html/Elements/SetupSessionCookie

as described in the thread to eliminate the double login.
Like the original thread, I am curious if there is a problem
with this fix or a better one? I am running 3.8.5.

I’m not sure which fix you’re referencing, since my sha1 in that
thread was for the 3.6 fix, which was a backport of
84022062cec889f1cabf1d4a10e28b7b66addf23 from 3.8

This was a fix for users going to http://rt.server/ and logging in and
losing the cookie when being redirected by mod_perl to
http://rt.server/SelfService/

Again, not sure what fix you applied, so it’s hard to comment further.

-kevin

It was the 3.8 session fixation patch.

So, that fixed the double login or caused it?

-kevin

It caused it. I removed the second half of the test in the unless
just like the mention in the thread. Then it worked again, but
with what consequences?

Ken

I am investigating a problem with the SelfService login page where
unprivileged users must login two times in a row for it to succeed.
I found this thread:

http://www.gossamer-threads.com/lists/rt/users/90794

and I think that my issue is the same. Unfortunately, I cannot
find the original patch for 3.8.0 - 3.8.5 that I applied. Does
anyone have a copy of the patch or an idea on how to debug this.

Regards,
Ken

I had to make the same change to:

share/html/Elements/SetupSessionCookie

as described in the thread to eliminate the double login.
Like the original thread, I am curious if there is a problem
with this fix or a better one? I am running 3.8.5.

I’m not sure which fix you’re referencing, since my sha1 in that
thread was for the 3.6 fix, which was a backport of
84022062cec889f1cabf1d4a10e28b7b66addf23 from 3.8

This was a fix for users going to http://rt.server/ and logging in and
losing the cookie when being redirected by mod_perl to
http://rt.server/SelfService/

Again, not sure what fix you applied, so it’s hard to comment further.

It was the 3.8 session fixation patch.

So, that fixed the double login or caused it?

It caused it. I removed the second half of the test in the unless
just like the mention in the thread. Then it worked again, but
with what consequences?

That change should be fine.

The actual 3.8.6 (which contains a fix) completely rewrites the code
path. Unfortunately, it’s hard to comment more on a patch from 2009
without a lot more digging.

-kevin

This was a fix for users going to http://rt.server/ and logging in and
losing the cookie when being redirected by mod_perl to
http://rt.server/SelfService/

Again, not sure what fix you applied, so it’s hard to comment further.

It was the 3.8 session fixation patch.

So, that fixed the double login or caused it?

It caused it. I removed the second half of the test in the unless
just like the mention in the thread. Then it worked again, but
with what consequences?

That change should be fine.

The actual 3.8.6 (which contains a fix) completely rewrites the code
path. Unfortunately, it’s hard to comment more on a patch from 2009
without a lot more digging.

-kevin

I understand and thank you for taking a quick look. We have an update
to 3.8.10 scheduled.

Regards,
Ken