multiple instances: unexpected session termination issues

Hello,

I' am trying to setup Apache with multiple Redmine instances. They all have their own code base and use an own database. The first configured Redmine instance works well. With all other instances I notice a problem with the session handling. If I click through the web interface, I get logged off very often unexpectedly. This happens mostly when switching projects. It seems, that this happens only if I use an admin account. And it does not happen, if selecting the "auto login" checkbox on the logon screen. I'm aware, that the session cookie will be overwritten, if one switches between two instances. But this is not the case here. The problem arises, when moving within one single instance.

The Apache configuration of the virtual host regarding redmine looks like

 
DocumentRoot /var/www/redmine

<Directory /var/www/redmine>
        Order allow,deny
        Allow from all

        AllowOverride none
        Options SymLinksIfOwnerMatch
</Directory>

RailsBaseURI  /redmine
PassengerUser svnrun
<Directory /srv/redmine-2.3.3/public>
        AllowOverride all
        Options -MultiViews
</Directory>

RailsBaseURI  /tmp
PassengerUser svnrun
<Directory /srv/redmine-2.3.3_tmp/public>
        AllowOverride all
        Options -MultiViews
</Directory>

...

With the symbolic links:

 
# ls -l /var/www/redmine/
insgesamt 0
lrwxrwxrwx 1 root root 25 Okt  6 23:58 redmine -> /srv/redmine-2.3.3/public
lrwxrwxrwx 1 root root 29 Okt  6 23:03 tmp -> /srv/redmine-2.3.3_tmp/public

The folder /srv/redmine-2.3.3_tmp of the second instance is a copy of /srv/redmine-2.3.3. And it uses a copy of the database of the first instance. The sudden session termination issues occur only for the instance /srv/redmine-2.3.3_tmp. If I remove the configuration part of the first instance (/srv/redmine-2.3.3) from the apache configuration, the situation changes. Now /srv/redmine-2.3.3_tmp is the first instance and I have no unexpected session terminations anymore.

Did I configure something wrong or is this a behaviour which can't be changed?

Ingo

---
Environment:

OS:       Linux Debian Wheezy (7)
Database: MySQL 5.0.51

/srv/redmine-2.3.3# RAILS_ENV=production script/about
Environment:
  Redmine version                2.3.3.stable
  Ruby version                   1.9.3-p194 (2012-04-20) [x86_64-linux]
  Rails version                  3.2.13
  Environment                    production
  Database adapter               Mysql2
Redmine plugins:
  redmine_close_button           0.0.8
  redmine_hudson                 2.1.2
  redmine_ldap_sync              2.0.2
  redmine_local_avatars          0.1.1
  redmine_scm                    0.4.3

Replies (2)

RE: multiple instances: unexpected session termination issues - Added by Jan Niggemann (redmine.org team member) about 11 years ago

My guess is that it's related to the session-cookie...

RE: multiple instances: unexpected session termination issues - Added by Ingo R about 11 years ago

I found the reason which caused this issue and a solution.

Somebody defined a link to a logo in the description of his project. It looked like:

!{width:100px}https://redmine.server/redmine/attachments/download/3670/logo.png!

Normally this logo will be displayed on the overview page of the project. Moreover it will be shown on the page, where all accessible projects are listed.

Two redmine instances were configured on this server:

  https://redmine.server/redmine
  https://redmine.server/tmp

The second was a clone of the first, which I used for testing an upgrade to a newer Redmine version. The projects page https://redmine.server/tmp/projects in the second instance contained a link to the above logo. Because this was an absolute link, the browser tried to fetch the image from the first instance https://redmine.server/redmine. This presented an other session cookie, which invalidates the session cookie of the /tmp instance.

The most affected user was the administrator, because he has access to all projects. The test user without admin permissions, which I used additionally, had not access to the project with the logo link. Therefore the problem didn't arised for him.

To solve the issue, I created the file config/additional_environment.rb in each instance with the following content:

Instance /redmine:

config.session_store :cookie_store, {
      :key  => '_redmine_session',
      :path => '/redmine',
}

Instance /tmp:

config.session_store :cookie_store, {
      :key  => '_redmine_session',
      :path => '/tmp',
}

Because of the different pathes, where the sessions cookies of both instances are valid, they don't influence each other anymore.

This was inspired by the hint in this issue:

http://www.redmine.org/issues/14237

Ingo

(1-2/2)

Project

General

Profile

Redmine