I use the squeeze-backport of redmine on Debian.

With the default setup, all the Ajax-Post-Requests cause the logout of the current user due to the missing X-CSRF-Token.

Because I could not find a complete solution, I backported the CSRF-Code from a newer relase.

read more