Hi,
I am investigating a problem with the SelfService login page where
unprivileged users must login two times in a row for it to succeed.
I found this thread:
and I think that my issue is the same. Unfortunately, I cannot
find the original patch for 3.8.0 - 3.8.5 that I applied. Does
anyone have a copy of the patch or an idea on how to debug this.
Regards,
Ken
Hi,
I am investigating a problem with the SelfService login page where
unprivileged users must login two times in a row for it to succeed.
I found this thread:Carbon60: Managed Cloud Services
and I think that my issue is the same. Unfortunately, I cannot
find the original patch for 3.8.0 - 3.8.5 that I applied. Does
anyone have a copy of the patch or an idea on how to debug this.Regards,
Ken
I had to make the same change to:
share/html/Elements/SetupSessionCookie
as described in the thread to eliminate the double login.
Like the original thread, I am curious if there is a problem
with this fix or a better one? I am running 3.8.5.
Regards,
Ken
Hi,
I am investigating a problem with the SelfService login page where
unprivileged users must login two times in a row for it to succeed.
I found this thread:Carbon60: Managed Cloud Services
and I think that my issue is the same. Unfortunately, I cannot
find the original patch for 3.8.0 - 3.8.5 that I applied. Does
anyone have a copy of the patch or an idea on how to debug this.Regards,
KenI had to make the same change to:
share/html/Elements/SetupSessionCookie
as described in the thread to eliminate the double login.
Like the original thread, I am curious if there is a problem
with this fix or a better one? I am running 3.8.5.
I’m not sure which fix you’re referencing, since my sha1 in that
thread was for the 3.6 fix, which was a backport of
84022062cec889f1cabf1d4a10e28b7b66addf23 from 3.8
This was a fix for users going to http://rt.server/ and logging in and
losing the cookie when being redirected by mod_perl to
http://rt.server/SelfService/
Again, not sure what fix you applied, so it’s hard to comment further.
-kevin
Hi,
I am investigating a problem with the SelfService login page where
unprivileged users must login two times in a row for it to succeed.
I found this thread:Carbon60: Managed Cloud Services
and I think that my issue is the same. Unfortunately, I cannot
find the original patch for 3.8.0 - 3.8.5 that I applied. Does
anyone have a copy of the patch or an idea on how to debug this.Regards,
KenI had to make the same change to:
share/html/Elements/SetupSessionCookie
as described in the thread to eliminate the double login.
Like the original thread, I am curious if there is a problem
with this fix or a better one? I am running 3.8.5.I’m not sure which fix you’re referencing, since my sha1 in that
thread was for the 3.6 fix, which was a backport of
84022062cec889f1cabf1d4a10e28b7b66addf23 from 3.8This was a fix for users going to http://rt.server/ and logging in and
losing the cookie when being redirected by mod_perl to
http://rt.server/SelfService/Again, not sure what fix you applied, so it’s hard to comment further.
-kevin
It was the 3.8 session fixation patch.
Ken
…
cat rt-3.8-session_fixation.patch
— …/rt-3.8.5/share/html/Elements/SetupSessionCookie 2009-09-15 02:23:22.000000000 +0900
+++ share/html/Elements/SetupSessionCookie 2009-09-30 08:17:57.000000000 +0900
@@ -53,11 +53,17 @@
my %cookies = CGI::Cookie->fetch;
my $cookiename = “RT_SID_”. RT->Config->Get(‘rtname’);
$cookiename .= “.”. $ENV{‘SERVER_PORT’} if $ENV{‘SERVER_PORT’};
-$SessionCookie ||= ( $cookies{$cookiename} ? $cookies{$cookiename}->value : undef ),
+$SessionCookie = ( $cookies{$cookiename} ? $cookies{$cookiename}->value : undef );
tie %session, ‘RT::Interface::Web::Session’, $SessionCookie;
undef $cookies{$cookiename} unless $SessionCookie && $session{‘_session_id’} eq $SessionCookie;
+unless ($session{‘CurrentUser’} && $session{CurrentUser}->id) {
Hi,
I am investigating a problem with the SelfService login page where
unprivileged users must login two times in a row for it to succeed.
I found this thread:Carbon60: Managed Cloud Services
and I think that my issue is the same. Unfortunately, I cannot
find the original patch for 3.8.0 - 3.8.5 that I applied. Does
anyone have a copy of the patch or an idea on how to debug this.Regards,
KenI had to make the same change to:
share/html/Elements/SetupSessionCookie
as described in the thread to eliminate the double login.
Like the original thread, I am curious if there is a problem
with this fix or a better one? I am running 3.8.5.I’m not sure which fix you’re referencing, since my sha1 in that
thread was for the 3.6 fix, which was a backport of
84022062cec889f1cabf1d4a10e28b7b66addf23 from 3.8This was a fix for users going to http://rt.server/ and logging in and
losing the cookie when being redirected by mod_perl to
http://rt.server/SelfService/Again, not sure what fix you applied, so it’s hard to comment further.
-kevin
It was the 3.8 session fixation patch.
So, that fixed the double login or caused it?
-kevin
Hi,
I am investigating a problem with the SelfService login page where
unprivileged users must login two times in a row for it to succeed.
I found this thread:Carbon60: Managed Cloud Services
and I think that my issue is the same. Unfortunately, I cannot
find the original patch for 3.8.0 - 3.8.5 that I applied. Does
anyone have a copy of the patch or an idea on how to debug this.Regards,
KenI had to make the same change to:
share/html/Elements/SetupSessionCookie
as described in the thread to eliminate the double login.
Like the original thread, I am curious if there is a problem
with this fix or a better one? I am running 3.8.5.I’m not sure which fix you’re referencing, since my sha1 in that
thread was for the 3.6 fix, which was a backport of
84022062cec889f1cabf1d4a10e28b7b66addf23 from 3.8This was a fix for users going to http://rt.server/ and logging in and
losing the cookie when being redirected by mod_perl to
http://rt.server/SelfService/Again, not sure what fix you applied, so it’s hard to comment further.
-kevin
It was the 3.8 session fixation patch.
So, that fixed the double login or caused it?
-kevin
It caused it. I removed the second half of the test in the unless
just like the mention in the thread. Then it worked again, but
with what consequences?
Ken
I am investigating a problem with the SelfService login page where
unprivileged users must login two times in a row for it to succeed.
I found this thread:Carbon60: Managed Cloud Services
and I think that my issue is the same. Unfortunately, I cannot
find the original patch for 3.8.0 - 3.8.5 that I applied. Does
anyone have a copy of the patch or an idea on how to debug this.Regards,
KenI had to make the same change to:
share/html/Elements/SetupSessionCookie
as described in the thread to eliminate the double login.
Like the original thread, I am curious if there is a problem
with this fix or a better one? I am running 3.8.5.I’m not sure which fix you’re referencing, since my sha1 in that
thread was for the 3.6 fix, which was a backport of
84022062cec889f1cabf1d4a10e28b7b66addf23 from 3.8This was a fix for users going to http://rt.server/ and logging in and
losing the cookie when being redirected by mod_perl to
http://rt.server/SelfService/Again, not sure what fix you applied, so it’s hard to comment further.
It was the 3.8 session fixation patch.
So, that fixed the double login or caused it?
It caused it. I removed the second half of the test in the unless
just like the mention in the thread. Then it worked again, but
with what consequences?
That change should be fine.
The actual 3.8.6 (which contains a fix) completely rewrites the code
path. Unfortunately, it’s hard to comment more on a patch from 2009
without a lot more digging.
-kevin
This was a fix for users going to http://rt.server/ and logging in and
losing the cookie when being redirected by mod_perl to
http://rt.server/SelfService/Again, not sure what fix you applied, so it’s hard to comment further.
It was the 3.8 session fixation patch.
So, that fixed the double login or caused it?
It caused it. I removed the second half of the test in the unless
just like the mention in the thread. Then it worked again, but
with what consequences?That change should be fine.
The actual 3.8.6 (which contains a fix) completely rewrites the code
path. Unfortunately, it’s hard to comment more on a patch from 2009
without a lot more digging.-kevin
I understand and thank you for taking a quick look. We have an update
to 3.8.10 scheduled.
Regards,
Ken