Defect #16489

Autologin Cookie doesn't differentiate between different Redmine systems within the same browser

Added by Kevin Brand over 3 years ago. Updated about 2 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Security
Target version:-
Resolution:No feedback Affected version:2.2.4

Description

When I'm using two different Redmine systems (for example a working system and a testing system) within the same browser (tested with Chrome an IE), the autologin cookie registers everytime automatically the two users of each system with the same ID on the databases.

An example: I'm logged in on the working system with my work account. Now I open a new tab, go to the testing system and register myself with a test account.
When I'm now going back to the working system and refresh the side, I'm no longer logged in with my work account, but with the account of another workmate, which got the same ID on the working system database as the test account on the testing system database.

There is no authentification (password) needed, which effects that I am able to login with each user of the working system, as long as I got a user on my testing system with the same ID.


Related issues

Related to Redmine - Patch #21169: Use config.relative_url_root as the default path for sess... Closed

History

#1 Updated by Ebrahim Mohammadi over 3 years ago

Aren't you using the same secret token for both of your Redmine instances?

#2 Updated by Toshi MARUYAMA over 3 years ago

  • Status changed from New to Needs feedback

Ebrahim Mohammadi wrote:

Aren't you using the same secret token for both of your Redmine instances?

And you can change path by adding config/additional_environment.rb with following content.

config.session_store :cookie_store, {
      :key  => '_redmine_session',
      :path => '/redmine',
}

#4 Updated by Go MAEDA about 2 years ago

  • Related to Patch #21169: Use config.relative_url_root as the default path for session and autologin cookies added

#5 Updated by Toshi MARUYAMA about 2 years ago

  • Status changed from Needs feedback to Closed
  • Priority changed from Urgent to Normal
  • Resolution set to No feedback

No feedback.

Also available in: Atom PDF