Project

General

Profile

Actions

Defect #16489

closed

Autologin Cookie doesn't differentiate between different Redmine systems within the same browser

Added by Kevin Brand about 10 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
No feedback
Affected version:

Description

When I'm using two different Redmine systems (for example a working system and a testing system) within the same browser (tested with Chrome an IE), the autologin cookie registers everytime automatically the two users of each system with the same ID on the databases.

An example: I'm logged in on the working system with my work account. Now I open a new tab, go to the testing system and register myself with a test account.
When I'm now going back to the working system and refresh the side, I'm no longer logged in with my work account, but with the account of another workmate, which got the same ID on the working system database as the test account on the testing system database.

There is no authentification (password) needed, which effects that I am able to login with each user of the working system, as long as I got a user on my testing system with the same ID.


Related issues

Related to Redmine - Patch #21169: Use config.relative_url_root as the default path for session and autologin cookiesClosedJean-Philippe Lang

Actions
Actions

Also available in: Atom PDF