Users automatically gain session of each other
Replies (6)
RE: Users automatically gain session of each other
-
Added by Jean-Baptiste Barth over 11 years ago
There's absolutely no reason this should happen. Do you have custom plugins installed ? Do you host your Redmine with "Passenger" ? If so show us your config..
RE: Users automatically gain session of each other
-
Added by Ben Sairo over 11 years ago
Dear,
I have some plugin, but even I remove all plug-in problem still happen
I do use passenger, the config in Apache config file is:
-----------------------------------------------------------
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.19/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.19
PassengerRuby /usr/bin/ruby1.8
-----------------------------------------------------------
database.yml:
-----------------------------------------------------------
production:
adapter: mysql2
database: redmine
host: 127.0.0.1
username: xxxx
password: "xxxxx"
encoding: utf8
------------------------------------------------------------
configuration.yml:
------------------------------------------------------------
default:
# Outgoing emails configuration (see examples above)
email_delivery:
delivery_method: :smtp
smtp_settings:
address: 127.0.0.1
port: 25
domain: xxxx
authentication: :none
autologin_cookie_name:
autologin_cookie_path:
autologin_cookie_secure:
scm_subversion_command:
scm_mercurial_command:
scm_git_command:
scm_cvs_command:
scm_bazaar_command:
scm_darcs_command:
database_cipher_key:
rmagick_font_path:
--------------------------------------------------------
attachment is settings.yml file
Thanks
RE: Users automatically gain session of each other
-
Added by Jean-Baptiste Barth over 11 years ago
Maybe see this thread: http://stackoverflow.com/questions/1524187/users-take-sessions-of-other-users-when-sessions-are-stored-in-memcached-rails but we're far from a standard redmine install. I guess you don't use memcached?
Else inspect your cookies on two different computers that get the same session without any reason. See if there's anything strange.
I'd also recommend you change your secret token (in config/initializers/secret_token.rb if I'm not mistaken, or something like that). It will invalidate current sessions but hopefully will improve the situation. At least check it is not blank.
RE: Users automatically gain session of each other
-
Added by Ben Sairo over 11 years ago
I don't use Memcached.
I checked the request/response and see that when the session exchange happens, in the request the sent session id in cookie is different from the one received from response. Really don't understand why & so confusing.
Anther note is in production.log file I see that all client IPs are recorded as the same one which is gateway IP. This seems to be due to firewall - Kerio Control and I have no idea if it's the reason as wel as how to make real IP recorded.
However, I have other ruby applications installed on the same server, like Gitorious that doesn't encounter this session issue
I did try to change secret token, it didn't help
RE: Users automatically gain session of each other
-
Added by Oleksandr Melnyk over 8 years ago
Having exactly same bug. We are using redmine within subpath (/mine) in same host with another application, redmine basepath is set by passenger, and also using autologin cookie. Very often redmine session just becomes of another user, hard to debug, pretty weird.
redmine version 3.2.3-stable.
RE: Users automatically gain session of each other
-
Added by Toshi MARUYAMA over 8 years ago
Oleksandr Melnyk wrote:
Having exactly same bug. We are using redmine within subpath (/mine) in same host with another application, redmine basepath is set by passenger, and also using autologin cookie. Very often redmine session just becomes of another user, hard to debug, pretty weird.
redmine version 3.2.3-stable.
Did you change "autologin_cookie_path"?
See #21169.