> > > > > > I am investigating a problem with the SelfService login page where > > > > > > unprivileged users must login two times in a row for it to succeed. > > > > > > I found this thread: > > > > > > > > > > > > http://www.gossamer-threads.com/lists/rt/users/90794 > > > > > > > > > > > > and I think that my issue is the same. Unfortunately, I cannot > > > > > > find the original patch for 3.8.0 - 3.8.5 that I applied. Does > > > > > > anyone have a copy of the patch or an idea on how to debug this. > > > > > > > > > > > > Regards, > > > > > > Ken > > > > > > > > > > > > > > > > I had to make the same change to: > > > > > > > > > > share/html/Elements/SetupSessionCookie > > > > > > > > > > as described in the thread to eliminate the double login. > > > > > Like the original thread, I am curious if there is a problem > > > > > with this fix or a better one? I am running 3.8.5. > > > > > > > > I'm not sure which fix you're referencing, since my sha1 in that > > > > thread was for the 3.6 fix, which was a backport of > > > > 84022062cec889f1cabf1d4a10e28b7b66addf23 from 3.8 > > > > > > > > This was a fix for users going to http://rt.server/ and logging in and > > > > losing the cookie when being redirected by mod_perl to > > > > http://rt.server/SelfService/ > > > > > > > > Again, not sure what fix you applied, so it's hard to comment further. > > > > > > It was the 3.8 session fixation patch. > > > > So, that fixed the double login or caused it? > > It caused it. I removed the second half of the test in the unless > just like the mention in the thread. Then it worked again, but > with what consequences?
That change should be fine. The actual 3.8.6 (which contains a fix) completely rewrites the code path. Unfortunately, it's hard to comment more on a patch from 2009 without a lot more digging. -kevin
pgpPuhHnYRFVM.pgp
Description: PGP signature
