3

Sorry, this is not my mother language.

---setup:

We have a machine running Redmine with this versions:

Redmine - v2.6.10-3

Ruby -v2.1.9p490

Rake -v10.4.2

Rails -v4.2.5.1

Phusion Passenger -v5.0.6

MySQL -v5.6.30

Apache -v2.4.20

Sometimes, some users, we cant replicate this issue, are working and then user changes account, the server gives them the cookie of other users. I have already tried almost everything I found in StackOverflow, in Redmine.org, and no clue.

I don't know how to be more specific on this, because we cannot emulate the problem in development server.

Extra info: it has two ports, HTTP, and https, not sure if relevant.

Anyone knows if there is any incompatibility between this versions?

Its almost the same thing described in this posts, but we couldn't repair it with the solutions provided, it still happens:

http://www.redmine.org/boards/2/topics/37771

Users take sessions of other users when sessions are stored in memcached (Rails)

Thank you very much.

lazzy_ms
  • 1,169
  • 2
  • 18
  • 40
Foo Bar
  • 165
  • 2
  • 14
  • Well, two ideas come to my mind. The first one: in some systems, session-id is included in URL as GET parameter. So, is there any possibility, that users are sharing link to redmine with each-other, and sending it with session-id included? Something like this: `http://redmine.org/issue/1234/?sessionID=XYZ`. The second thought may be related, if you have too many users. Because session is basically a random-generated hash and poor systems can allow so called hash collision. It has very low possibility, so it may be why you can't reproduce it on development server. – Maxim Mazurok Jul 11 '18 at 01:55
  • 1
    Well, its not the URL one, but good thinking out of the box, and Im going to check that hash collision....Maybe, it could be. If it is, I´ll ask you to post this as an answer and give you the bounty, even if I have to reopen this or a new one just for you. Thanks for trying. – Foo Bar Jul 11 '18 at 10:32

0 Answers0