Webkit browser lose session only when viewing Attachment

Hello,

I have noticed that my Ubuntu install of RT 3.8.4 (but not my Debian
install of same) gives Chrome and Safari browsers a new session cookie
whenever they click an Attachment
(/rt/Attachment/[transactionId]/[attachmentId]/filename). So after a
logged-in user views an attachment, the cookie they have no longer
matches up with the one they were using to be considered logged-in.
Then any subsequent action results in a login prompt.

The logout problem does not happen when clicking any other links in
RT. Only the links to attachments kill the session.

I checked the MySQL session table to see what happened to the old
session and it is still there. I don;t know why RT issues a new one.
The a_session field is a longblob. I truncated the sessions table and
started again, but still the same. The same behavior occurs both
whether session is stored in MySQL or in ‘Apache::Session::File’ (with
RT Config for WebSessionClass).

I have watched my network with Wireshark and see that when Safari and
Chrome ask for the Attachment, the GET request includes the Cookie
header with the correct (logged in) cookie. The server response
returns the attachment without any cookie header, and then webkit
immediately asks to GET /favicon.ico, without any cookie header.
That’s when the server replies back with a new cookie in a response
that contains the login page.

Firefox and Opera browsers don’t have any problem at all with losing
their session after clicking an attachment.

Here’s a little screencast that shows consistent session loss for
Safari and Chrome, only when clicking into an Attachment:

Any ideas on why this would happen? I have another Debian install of
3.8.4 that is almost identical to this Ubuntu one and don’t get this
problem.

Allen

I found the reason for this problem. But don’t know the correct solution.

The reason is that RT’s runs from the /rt subdirectory on this server.
That subdirectory is where the authenticated session cookie applies.
When Webkit browser asks for /favicon.ico that is above the /rt
directory, therefore the login cookie is inapplicable there. So, RT
sends back a response with a new cookie.

The reason this happens on 1 of my servers and not the other is
because RT on the broken server is one of many NameBasedVirtualHosts.
So if the visitor is at this hostname, it hits RT, even if /rt was not
part of the REQUEST_URI. On my other server, it uses mod_vhost_alias
for all the domains, and RT is installed just as an Alias /rt. So on
that server when /favicon.ico is requested, the answer does not come
back from RT, but from one of the other mod_vhost_alias domains
because the Alias does not apply.

It seems I need some kind of rewrite rule in the Apache config to
handle people asking for “/file” instead of “/rt/file”

Or maybe just remove the “Alias /rt
/usr/share/request-tracker3.8/html” and other references to /rt in the
Apache configs and just let RT run at DocumentRoot instead of in a
subdirectory?

Anyone else running RT in a subdirectory of a NameBasedVirtualhost
with a suggestion?

Allen

RT 3.8.5 on FreeBSD 6.2 using Apache 2.2.6

How can I have the search functions search and display custom fields?

The page here:
http://wiki.bestpractical.com/view/DisplayCustomFieldsInTicketSearch

…says that the conventional method doesn’t work in 3.6 and above.

I’ve created Custom Fields for ‘tickets’, added it to the queue, and when
I create a new ticket the dropdown box is there.

But in both simple and advanced saarch I’m unable to make RT find results
based on the option (development categories 'bugs, ‘feature requests’,
etc) that was chosen for the custom field.

-jake

For future readers, to make it so that requests for objects above the
$WebPath directory (like /favicon.ico, when WebPath is “/rt”) do not
trash the current session, I changed the RT installation so that it
runs from the root directory of a subdiomain (rt.example.com) instead
of a subdirectory (example.com/rt).

Changes to Apache config files:

/etc/apache2/sites-available/rt.example.com:
insecure vhost container:

  • backwards compat for anyone with old links to subdir:
  • RewriteEngine on
  • RewriteCond %{REQUEST_URI} ^/rt(.*)
  • RewriteRule .* http://rt.example.com%1 [R]
  • Alias /rt /usr/share/request-tracker3.8/html
  • <Location /rt/REST/1.0/NoAuth>
  • <Location /REST/1.0/NoAuth>
    same changes to secure vhost container except rewrite redirects to httpS

/etc/request-tracker3.8/apache2-modperl2.conf:
-RewriteRule ^/rt$ /rt/
-RewriteRule ^/rt/(.*)$ /usr/share/request-tracker3.8/html/$1
-<Location /rt/REST/1.0/NoAuth>
+<Location /REST/1.0/NoAuth>

/etc/request-tracker3.8/RT_SiteConfig.d/50-debconf
Set($WebPath , “/rt”);
Set($WebPath , “”);

Hi Jake,

When you have custom fields assigned to aOn Thu, Dec 3, 2009 at 11:02 AM, elsif jake@elsif.net wrote:

RT 3.8.5 on FreeBSD 6.2 using Apache 2.2.6

How can I have the search functions search and display custom fields?

The page here:
http://wiki.bestpractical.com/view/DisplayCustomFieldsInTicketSearch

…says that the conventional method doesn’t work in 3.6 and above.

I’ve created Custom Fields for ‘tickets’, added it to the queue, and when
I create a new ticket the dropdown box is there.

But in both simple and advanced saarch I’m unable to make RT find results
based on the option (development categories 'bugs, ‘feature requests’,
etc) that was chosen for the custom field.

-jake


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Bill Graboyes
On Assignment At:
Toyota Motor Sales, USA, Inc.
Consumer Portal Delivery
Office: (310) 468-6754
Cell: (714) 515-8312

Hi Jake,

Sorry for that last transmission, it sent without my consent.

At any rate, when you have custom fields assigned to a queue, they will only
show up in the query builder if you have that queue selected.

Otherwise you would need to make the custom field global to be able to
search without a qualified queue.

Thanks,
BillOn Fri, Dec 4, 2009 at 9:35 AM, William Graboyes < william.graboyes@theportalgrp.com> wrote:

Hi Jake,

When you have custom fields assigned to a

On Thu, Dec 3, 2009 at 11:02 AM, elsif jake@elsif.net wrote:

RT 3.8.5 on FreeBSD 6.2 using Apache 2.2.6

How can I have the search functions search and display custom fields?

The page here:
http://wiki.bestpractical.com/view/DisplayCustomFieldsInTicketSearch

…says that the conventional method doesn’t work in 3.6 and above.

I’ve created Custom Fields for ‘tickets’, added it to the queue, and when
I create a new ticket the dropdown box is there.

But in both simple and advanced saarch I’m unable to make RT find results
based on the option (development categories 'bugs, ‘feature requests’,
etc) that was chosen for the custom field.

-jake


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com


Bill Graboyes
On Assignment At:
Toyota Motor Sales, USA, Inc.
Consumer Portal Delivery
Office: (310) 468-6754
Cell: (714) 515-8312

Bill Graboyes
On Assignment At:
Toyota Motor Sales, USA, Inc.
Consumer Portal Delivery
Office: (310) 468-6754
Cell: (714) 515-8312