Closed
Bug 260749
Opened 20 years ago
Closed 20 years ago
bonsai buglinks don't use HTTPS
Categories
(mozilla.org Graveyard :: Server Operations, task)
mozilla.org Graveyard
Server Operations
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: Biesinger, Assigned: myk)
References
()
Details
the buglinks from bonsai are still using http instead of https; using https would avoid sending the logincookie over an unencrypted connection, and also avoid the redirection.
Comment 3•20 years ago
|
||
Myk, Dave: should we be setting "secure=yes" on the login cookie if the initial login was over SSL? Gerv
Assignee | ||
Comment 4•20 years ago
|
||
IMHO we should be encrypting all communications between users and Bugzilla, at least for logged in users, in which case we wouldn't need to flag logins as secure. If we don't encrypt all communications, and particularly if we allow users to log in insecurely, then it might make sense to know who logged in how. What would we use the information for?
Comment 5•20 years ago
|
||
> IMHO we should be encrypting all communications between users and Bugzilla, at
> least for logged in users, in which case we wouldn't need to flag logins as
> secure.
I'm not sure of your logic here.
If you don't set "secure=yes", then when an already-logged-in user clicks an
HTTP link to Bugzilla (such as used to be on Bonsai), an HTTP request is made
with cookies, which is then redirected to an HTTPS request. So the cookies go in
the clear.
If you set "secure=yes", then that initial HTTP link which gets redirected
happens _without_ cookies, so the cookies don't go in the clear. This is what
I'm suggesting. Or have I misunderstood how this works?
Gerv
Assignee | ||
Comment 6•20 years ago
|
||
Urm, sorry, I misunderstood. Yes, we should be setting secure=yes, even though tokens in the clear are only mildly problematic (authentication credentials and confidential bug information are the more important data to secure).
Updated•9 years ago
|
Product: mozilla.org → mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•