Users automatically gain session of each other

Added by Ben Sairo over 9 years ago

I log in my account, after a few clicks around, I automatically log-in with another users, means I gain their session. Other users are also same - auto gain sessions of each other. My environment is:
Redmine version 2.3.1.stable
Ruby version 1.8.7 (x86_64-linux)
Rails version 3.2.13
Environment production
Database adapter Mysql2
OS Ubuntu server 12.10 64bit

Any help please, I'm desperate. Problem doesn't happen on Windows box :-(

Replies (6)

RE: Users automatically gain session of each other - Added by Jean-Baptiste Barth over 9 years ago

There's absolutely no reason this should happen. Do you have custom plugins installed ? Do you host your Redmine with "Passenger" ? If so show us your config..

RE: Users automatically gain session of each other - Added by Ben Sairo over 9 years ago

Dear,
I have some plugin, but even I remove all plug-in problem still happen

I do use passenger, the config in Apache config file is:
-----------------------------------------------------------
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.19/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.19
PassengerRuby /usr/bin/ruby1.8
-----------------------------------------------------------
database.yml:
-----------------------------------------------------------

production:
  adapter: mysql2
  database: redmine
  host: 127.0.0.1
  username: xxxx
  password: "xxxxx" 
  encoding: utf8

------------------------------------------------------------
configuration.yml:
------------------------------------------------------------

default:
  # Outgoing emails configuration (see examples above)
  email_delivery:
    delivery_method: :smtp
    smtp_settings:
      address: 127.0.0.1
      port: 25
      domain: xxxx
      authentication: :none      

  autologin_cookie_name:
  autologin_cookie_path:
  autologin_cookie_secure:

  scm_subversion_command:
  scm_mercurial_command:
  scm_git_command:
  scm_cvs_command:
  scm_bazaar_command:
  scm_darcs_command:

  database_cipher_key:

  rmagick_font_path:

--------------------------------------------------------
attachment is settings.yml file
Thanks

settings.yml Magnifier (3.62 KB)

RE: Users automatically gain session of each other - Added by Jean-Baptiste Barth over 9 years ago

Maybe see this thread: http://stackoverflow.com/questions/1524187/users-take-sessions-of-other-users-when-sessions-are-stored-in-memcached-rails but we're far from a standard redmine install. I guess you don't use memcached?

Else inspect your cookies on two different computers that get the same session without any reason. See if there's anything strange.

I'd also recommend you change your secret token (in config/initializers/secret_token.rb if I'm not mistaken, or something like that). It will invalidate current sessions but hopefully will improve the situation. At least check it is not blank.

RE: Users automatically gain session of each other - Added by Ben Sairo over 9 years ago

I don't use Memcached.

I checked the request/response and see that when the session exchange happens, in the request the sent session id in cookie is different from the one received from response. Really don't understand why & so confusing.

Anther note is in production.log file I see that all client IPs are recorded as the same one which is gateway IP. This seems to be due to firewall - Kerio Control and I have no idea if it's the reason as wel as how to make real IP recorded.
However, I have other ruby applications installed on the same server, like Gitorious that doesn't encounter this session issue

I did try to change secret token, it didn't help

RE: Users automatically gain session of each other - Added by Oleksandr Melnyk about 6 years ago

Having exactly same bug. We are using redmine within subpath (/mine) in same host with another application, redmine basepath is set by passenger, and also using autologin cookie. Very often redmine session just becomes of another user, hard to debug, pretty weird.
redmine version 3.2.3-stable.

RE: Users automatically gain session of each other - Added by Toshi MARUYAMA about 6 years ago

Oleksandr Melnyk wrote:

Having exactly same bug. We are using redmine within subpath (/mine) in same host with another application, redmine basepath is set by passenger, and also using autologin cookie. Very often redmine session just becomes of another user, hard to debug, pretty weird.
redmine version 3.2.3-stable.

Did you change "autologin_cookie_path"?
See #21169.

(1-6/6)