I use the squeeze-backport of redmine on Debian.
With the default setup, all the Ajax-Post-Requests cause the logout of the current user due to the missing X-CSRF-Token.
Because I could not find a complete solution, I backported the CSRF-Code from a newer relase.