User authentication not working with fcgi?

Ambrose_Li · December 18, 2002, 7:35am

Hi,

has anyone tried to set up RT 2.0.15 in a non-Apache FastCGI
environment? I got it running, but it seems that RT only
creates one session.

After I logged in from the local network, I tried to access
it off-site. To my surprise, the browser which is running
off-site shows that I am logged in. If I log off there, my
session on the local network is also logged off.

Obviously, this is a problem, since any unknown user in the
world has the same rights as any privileged user who happens
to be logged on somewhere at that time.

No cookie seems to have been created at any time.

Has anyone seen this before?

Ambrose Li a.c.li@ieee.org
http://ada.dhs.org/~acli/cmcc/ http://www.cccgt.org/

DRM is theft - We are the stakeholders

Vivek_Khera · December 18, 2002, 2:36pm

“AL” == Ambrose Li a.c.li@ieee.org writes:

AL> After I logged in from the local network, I tried to access
AL> it off-site. To my surprise, the browser which is running
AL> off-site shows that I am logged in. If I log off there, my

My guess would be that whatever code generates the session key (ie,
the cookie value) has become predictable and constant. I don’t know
what that computation is, but it should include several elements such
as the PID, time, and a PRNG value to be safe against guessing.

Vivek Khera, Ph.D. Khera Communications, Inc.
Internet: khera@kciLink.com Rockville, MD +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/

acli · December 23, 2002, 3:02am

In article 15872.34792.89816.818631@onceler.kciLink.com,Vivek Khera khera@kcilink.com wrote:

“AL” == Ambrose Li a.c.li@ieee.org writes:

AL> After I logged in from the local network, I tried to access
AL> it off-site. To my surprise, the browser which is running
AL> off-site shows that I am logged in. If I log off there, my

My guess would be that whatever code generates the session key (ie,
the cookie value) has become predictable and constant. I don’t know
what that computation is, but it should include several elements such
as the PID, time, and a PRNG value to be safe against guessing.

It seems that this is related to restarting the web server. After
restarting the web server, the first session will become the only
session.

If I delete everything in WebRT/sessiondata before restarting the
web server, it seems that different sessions are properly created.

Does any other FastCGI users experience the same problem? Or is it
only me?

Ambrose Li a.c.li@ieee.org
http://ada.dhs.org/~acli/cmcc/ http://www.cccgt.org/

DRM is theft - We are the stakeholders

acli1 · December 19, 2002, 1:18am

In article 15872.34792.89816.818631@onceler.kciLink.com you
write:

My guess would be that whatever code generates the session key
(ie, the cookie value) has become predictable and constant.
I don’t know what that computation is, but it should include
several elements such as the PID, time, and a PRNG value to be
safe against guessing.

It seems to be even worse. When I go to my browser’s cookie
manager, it shows me that there is no cookie at all.

If I kill the FastCGI rt process, sometimes RT will start
working. (I know this at once when my browser says “Received
cookie…”) But I don’t see a pattern as to when RT works and
when it doesn’t.

Very strange.

Ambrose Li a.c.li@ieee.org
http://ada.dhs.org/~acli/cmcc/ http://www.cccgt.org/

DRM is theft - We are the stakeholders