Actions
Defect #42199
closed
Stay logged in option prevevents users from logging in on Apache + mod passenger
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Resolution:
Wont fix
Affected version:
Description
I've just verified on a clear installation of Debian 12 + Apache2 + libapache2-mod-passenger that the option Stay logged in on the login form prevents users from logging in. As log as this check box is checked you can't log in.
This is what I see in the log:
App 5836 output: [a8b48f7d-2236-41b7-bd27-5294c2ae4dc3] Started POST "/login" for 192.168.4.190 at 2025-02-01 09:21:30 +0100
App 5836 output: [a8b48f7d-2236-41b7-bd27-5294c2ae4dc3] Processing by AccountController#login as HTML
App 5836 output: [a8b48f7d-2236-41b7-bd27-5294c2ae4dc3] Parameters: {"authenticity_token"=>"4UXUTv29KBldIUbhz4MwE926dkb4Xvrvp1X6ujdspLek8oqDvNfdhtxG6KyYvNNbrOGJoCZko_Zx5lBSNyK2-Q", "back_url"=>"/", "username"=>"admin", "password"=>"[FILTERED]", "autologin"=>"1", "login"=>"Login"}
App 5836 output: [a8b48f7d-2236-41b7-bd27-5294c2ae4dc3] Current user: anonymous
App 5836 output: [a8b48f7d-2236-41b7-bd27-5294c2ae4dc3] Successful authentication for 'admin' from 192.168.4.190 at 2025-02-01 08:21:30 UTC
App 5836 output: [a8b48f7d-2236-41b7-bd27-5294c2ae4dc3] Redirected to http://redmine/
App 5836 output: [a8b48f7d-2236-41b7-bd27-5294c2ae4dc3] Completed 302 Found in 24ms (ActiveRecord: 13.5ms (14 queries, 0 cached) | GC: 0.0ms)
App 5836 output: [2106b248-ec9f-4c12-b98f-fc9ce2b57277] Started GET "/" for 192.168.4.190 at 2025-02-01 09:21:30 +0100
App 5836 output: [2106b248-ec9f-4c12-b98f-fc9ce2b57277] Processing by WelcomeController#index as HTML
App 5836 output: [2106b248-ec9f-4c12-b98f-fc9ce2b57277] Current user: anonymous
App 5836 output: [2106b248-ec9f-4c12-b98f-fc9ce2b57277] Redirected to http://redmine/login?back_url=http%3A%2F%2Fredmine%2F
App 5836 output: [2106b248-ec9f-4c12-b98f-fc9ce2b57277] Filter chain halted as :check_if_login_required rendered or redirected
App 5836 output: [2106b248-ec9f-4c12-b98f-fc9ce2b57277] Completed 302 Found in 4ms (ActiveRecord: 0.8ms (3 queries, 0 cached) | GC: 0.0ms)
App 5836 output: [1193f1d4-6d77-4bb1-8442-81f7ae26a692] Started GET "/login?back_url=http%3A%2F%2Fredmine%2F" for 192.168.4.190 at 2025-02-01 09:21:30 +0100
App 5836 output: [1193f1d4-6d77-4bb1-8442-81f7ae26a692] Processing by AccountController#login as HTML
App 5836 output: [1193f1d4-6d77-4bb1-8442-81f7ae26a692] Parameters: {"back_url"=>"http://redmine/"}
App 5836 output: [1193f1d4-6d77-4bb1-8442-81f7ae26a692] Current user: anonymous
App 5836 output: [1193f1d4-6d77-4bb1-8442-81f7ae26a692] Rendered layout layouts/base.html.erb (Duration: 5.3ms | GC: 0.0ms)
App 5836 output: [1193f1d4-6d77-4bb1-8442-81f7ae26a692] Completed 200 OK in 10ms (Views: 5.7ms | ActiveRecord: 1.1ms (3 queries, 0 cached) | GC: 0.0ms)=
In the code it seems that as soon the autologin info is written into cookies(`cookies[autologin_cookie_name] = cookie_options`), `session[:user_id]` is empty in the following call request.
The problem has appeared in v6.0.0. As soon as I use another server to run Redmine, e.g. Puma, Stay logged in works as expected.
Updated by 
Updated by 
Updated by 
Updated by
Actions