Envitonment¶

• Redmine version 5.1.4.stable
• Ruby version 3.2.6-p234 (2024-10-30) [x86_64-linux]
• Rails version 6.1.7.10
• Database adapter Mysql2
• No plugins

Description¶

Regarding the “Session lifetime” setting under [Administration] > [Settings] > [Authentication] tab in Redmine, if you set a value larger than any of the available choices, Redmine results in a 500 Internal Server Error, making login and any other operations impossible.

In general, this issue does not occur with normal operations in the GUI (WebUI), since values are selected from a dropdown menu. The conditions that trigger this issue are as follows:

Obtain the authenticity_token during login with Redmine administrator privileges.
Send the corresponding setting value via a POST request using the authenticity_token.
Based on these conditions, the access complexity (AC: Access Complexity) is medium, and authentication (Au: Authentication) is single. However, since Redmine itself becomes unusable, this bug is being reported as an issue.

Log¶

• production.log(session_lifetime):
  

  2024-11-11 13:10:22 I, [2024-11-11T04:10:22.213565 #1]  INFO -- : Started GET "/" for 172.22.0.1 at 2024-11-11 04:10:22 +0000
  2024-11-11 13:10:22 I, [2024-11-11T04:10:22.214153 #1]  INFO -- : Processing by WelcomeController#index as HTML
  2024-11-11 13:10:22 I, [2024-11-11T04:10:22.217841 #1]  INFO -- : Completed 500 Internal Server Error in 4ms (ActiveRecord: 0.7ms | Allocations: 1117)
  2024-11-11 13:10:22 F, [2024-11-11T04:10:22.218845 #1] FATAL -- :   
  2024-11-11 13:10:22 ActiveRecord::StatementInvalid (Mysql2::Error: Incorrect DATETIME value: '-4463005062735503222482655784856603883025098983030448705846414029523342816092144159077548313762843174161435924469338849042616476'):
  2024-11-11 13:10:22   
  2024-11-11 13:10:22 app/models/user.rb:478:in `verify_session_token'
  2024-11-11 13:10:22 app/controllers/application_controller.rb:86:in `session_expired?'
  2024-11-11 13:10:22 app/controllers/application_controller.rb:76:in `session_expiration'
  

• production.log (session_timeout):
  

  2024-11-11 13:06:30 I, [2024-11-11T04:06:30.052984 #1]  INFO -- : Started GET "/" for 172.22.0.1 at 2024-11-11 04:06:30 +0000
  2024-11-11 13:06:30 I, [2024-11-11T04:06:30.053969 #1]  INFO -- : Processing by WelcomeController#index as HTML
  2024-11-11 13:06:30 I, [2024-11-11T04:06:30.058140 #1]  INFO -- : Completed 500 Internal Server Error in 4ms (ActiveRecord: 0.9ms | Allocations: 1254)
  2024-11-11 13:06:30 F, [2024-11-11T04:06:30.059261 #1] FATAL -- :   2024-11-11 13:06:30 ActiveRecord::StatementInvalid (Mysql2::Error: Incorrect TIMESTAMP value: '-190132431040868585787372620777824170090951749712709896695223-04-18 17:27:30.056272'):
  2024-11-11 13:06:30   
  2024-11-11 13:06:30 app/models/user.rb:478:in `verify_session_token'
  2024-11-11 13:06:30 app/controllers/application_controller.rb:86:in `session_expired?'
  2024-11-11 13:06:30 app/controllers/application_controller.rb:76:in `session_expiration'
  

Workaround¶

If this issue occurs, you can restore normal functionality by modifying the corresponding setting values in the database.
Example of setting values:

mysql> select * from settings where name LIKE 'session%';
+----+------------------+--------+---------------------+
| id | name             | value  | updated_on          |
+----+------------------+--------+---------------------+
| 11 | session_lifetime | 525600 | 2024-11-11 02:34:56 |
| 12 | session_timeout  | 2880   | 2024-11-11 02:34:56 |
+----+------------------+--------+---------------------+
2 rows in set (0.00 sec)

Remarks¶

Likewise, for parameters such as “time_entry_list_defaults” and “issue_list_default_columns” in the administration menu’s settings, it is possible to set invalid values in the same manner. However, unlike the authentication issue described in this report, Redmine itself does not become unusable; the only problem is that a 500 Internal Server Error occurs upon opening the settings menu.