Session take over while using RT::Authen::External

Michael_Polivanov1 · March 3, 2011, 6:03pm

We have discovered a very unpleasant behavior of RT if used with
RT::Authen::External module with LDAP authentication enabled. The
problem is that sometimes a RT site visitor (no credentials entered,
no cookie set) gets automatically logged in with a session of another
user, that was active before on another workstation. So user A gets
into RT as user B without knowing the login credentials from user B.

This is a fresh installation of 3.8.9 (apache+fastcgi+mod_ssl), with
two internal user (root and test) and LDAP authentication configured
(version 0.08_01). Authentication works, i am able to login as
external or internal user. The problem occurs with LDAP users and can
be reproduced as following (WS = workstation):

Apache (RT/fastcgi) is restarted, all …/var files are deleted between
stop and start

WS2: browser is down
WS1: LDAP user A log in into RT
WS2: LDAP user B starts the browser, browse to RT page => login mask
WS2: LDAP user B shutdown the browser, starts is again, browse to RT
page => logged in as LDAP user A

So it happens never the first time and not automatically the second,
but we were always able to reproduce it. We have tested with internal
users also, but failed to reproduce the problem, probably more tries
are required.

I have no idea how i can analyse the problem, as nothing is logged
into rt.log, if the session takeover happens, even not with debug and
tracing enabled at the same time. Logging itself works fine, here is
for example, what i get every time, when i am not logged in and browse
to the RT url (normal entries?):

[Thu Mar 3 17:25:03 2011] [debug]: Reloading RT::User to work around
a bug in RT-3.8.0 and RT-3.8.1
(/app/rt/rt-3.8.9/local/html/Elements/DoAuth:14)
[Thu Mar 3 17:25:03 2011] [debug]: Attempting to use external auth
service: AD1 (/app/rt/rt/bin/…/local/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Mar 3 17:25:03 2011] [debug]: SSO Failed and no user to test
with. Nexting (/app/rt/rt/bin/…/local/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Mar 3 17:25:03 2011] [debug]: Attempting to use external auth
service: AD2 (/app/rt/rt/bin/…/local/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Mar 3 17:25:03 2011] [debug]: SSO Failed and no user to test
with. Nexting (/app/rt/rt/bin/…/local/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Mar 3 17:25:03 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/app/rt/rt-3.8.9/local/html/Elements/DoAuth:26)
[Thu Mar 3 17:25:03 2011] [debug]: Attempting to use external auth
service: AD1 (/app/rt/rt/bin/…/local/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Mar 3 17:25:03 2011] [debug]: SSO Failed and no user to test
with. Nexting (/app/rt/rt/bin/…/local/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Mar 3 17:25:03 2011] [debug]: Attempting to use external auth
service: AD2 (/app/rt/rt/bin/…/local/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Mar 3 17:25:03 2011] [debug]: SSO Failed and no user to test
with. Nexting (/app/rt/rt/bin/…/local/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Mar 3 17:25:03 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/app/rt/rt-3.8.9/local/html/Elements/DoAuth:26)

All i have is the apache access log (nothing unusual in error log),
and the log entries of the situation when it happens:

10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] “GET /
HTTP/1.1” 200 13324 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; de;
rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13” “-”
10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] “GET
/NoAuth/images//favicon.png HTTP/1.1” 200 335 “-” “Mozilla/5.0
(Windows; U; Windows NT 5.1; de; rv:1.9.2.13) Gecko/20101203
Firefox/3.6.13” “RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7”
10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] “GET
/NoAuth/images/bplogo.gif HTTP/1.1” 200 755 “https://orrt.mydomain/”
“Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.13)
Gecko/20101203 Firefox/3.6.13”
“RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7”
10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] “GET
/NoAuth/images/css/rollup-arrow.gif HTTP/1.1” 200 82
“https://orrt.mydomain/NoAuth/css/web2/main-squished.css” “Mozilla/5.0
(Windows; U; Windows NT 5.1; de; rv:1.9.2.13) Gecko/20101203
Firefox/3.6.13” “RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7”
10.255.1.21 orrt.mydomain - [03/Mar/2011:18:18:59 +0100] “GET
/NoAuth/images//bplogo.gif HTTP/1.1” 200 755
“https://orrt.mydomain/NoAuth/css/web2/main-squished.css” “Mozilla/5.0
(Windows; U; Windows NT 5.1; de; rv:1.9.2.13) Gecko/20101203
Firefox/3.6.13” “RT_SID_ORRT.443=8521fcfb89bab01d0a16cb5d5a76c6c7”

Any hints how i can analyse/fix the problem are welcome. Thank you in advance!

Regards,
-michael

Thomas_Sibley · March 3, 2011, 6:07pm

We have discovered a very unpleasant behavior of RT if used with
RT::Authen::External module with LDAP authentication enabled. The
problem is that sometimes a RT site visitor (no credentials entered,
no cookie set) gets automatically logged in with a session of another
user, that was active before on another workstation. So user A gets
into RT as user B without knowing the login credentials from user B.

Is there a proxy between RT and your workstations?

Thomas

Thomas_Sibley · March 3, 2011, 7:10pm

Please keep mail on the list, thanks.On 03 Mar 2011 13:47, Michael Polivanov wrote:

Yes, there is one. I thought already that this might be a reason, but
the setup is SSL only, so i don’t think the proxy thing will be able
to cache anything.

You should test your scenario without any proxies involved. If you can
still replicate it, then we can keep troubleshooting. Otherwise, my
bets are on the proxy.

Thomas

Michael_Polivanov1 · March 3, 2011, 7:26pm

Please keep mail on the list, thanks.

Ups, too fast reply. My bloody mistake …

You should test your scenario without any proxies involved. If you can
still replicate it, then we can keep troubleshooting. Otherwise, my
bets are on the proxy.

Will do so. But i am still unsure how a proxy server can interfere a
SSL connection in my case. I mean if the files would be cached by the
proxy, i wouldn’t see the requests in apache log, especially not for
NoAuth objects, but i saw the every time when the problem occurred.

Regards,
-michael

Thomas_Sibley · March 3, 2011, 7:34pm

Will do so. But i am still unsure how a proxy server can interfere a
SSL connection in my case. I mean if the files would be cached by the
proxy, i wouldn’t see the requests in apache log, especially not for
NoAuth objects, but i saw the every time when the problem occurred.

In our experience, we haven’t yet seen a cookie sharing problem that
wasn’t a proxy or a misconfigured apache accelerator module (mod_cache,
etc).

Thomas

Michael_Polivanov1 · March 4, 2011, 3:06pm

We have now tested it without proxy: same result, same problem. Can
this be a FastCGI issue?

Thomas_Sibley · March 4, 2011, 4:09pm

We have now tested it without proxy: same result, same problem. Can
this be a FastCGI issue?

Can you send your entire Apache config (not just the RT vhost part)?
Private mail to me is fine if you don’t want to share it with the list.
Start up wireshark or tcpdump and see where and when the second
workstation gets the cookie.

Thomas

Michael_Polivanov1 · March 7, 2011, 9:28am

Can you send your entire Apache config (not just the RT vhost part)?
Private mail to me is fine if you don’t want to share it with the list.

Is attached

Regards

apache-conf.tgz (3.47 KB)

Michael_Polivanov1 · March 8, 2011, 2:18pm

We were able to fix the issue (at least we believe it, more testing is
necessary) by starting standalone FastCGI RT server. Further analysis
of the issue is required, but as there are so many factors to consider
(Perl build, FastCGI, RH EL6, …), it will take a while.

Vladimir_Nikolic · July 13, 2011, 6:19am

We had the same problem (FreeBSD 8.1, rt-3.8.10,
p5-RT-Authen-ExternalAuth-0.09, apache-2.2.19, ap22-mod_fastcgi-2.4.6_1).
Replacing mod_fastcgi with mod_perl (ap22-mod_perl2-2.0.5,3), solved the
problem.

Regards

Vladimir Nikolic | Sistemski administrator / System Administrator