Closed
Bug 43900
Opened 24 years ago
Closed 22 years ago
cookie-based user authentication fails immediately after password change
Categories
(Bugzilla :: User Accounts, defect, P3)
Bugzilla
User Accounts
Tracking
()
RESOLVED
FIXED
Bugzilla 2.16
People
(Reporter: C.Ooi, Assigned: myk)
References
()
Details
Attachments
(1 file)
The cryptpassword field in the table logincookies and cryptpassword field in the table profiles go out of sync immediately after a password change. This causes an authentication failure in the cookie based user authentication, forcing the user to have to log on again (right after they've changed their passwords). When the user logs on, a new cookie (which reflects the changed password) is set, and the cookie-based authentication mechanism works again. This is not a serious bug. It is just a bit annoying for users to have to retype usernames and passwords immediately after they've just typed them in (in the change password process). Steps to reproduce: - log in - go to the edit prefs page (userprefs.cgi) - on the account settings bank, change your password (fill in old password, new password, re-enter new password and click on submit) - Bugzilla comes back with a message to the effect that the changes have been saved - click on any of the links where authentication is required (e.g. enter_bug.cgi, any of the other banks on user preferences - e.g. email settings) - Bugzilla requests reauthentication of the user (The SQL statement in the subroutine quietly_check_login in CGI.pl will set $ok to 0 if profiles.cryptpassword != logincookies.cryptpassword) Suggested fix: Add a few lines to the subroutine SaveAccount to sync the cryptpassword fields in the tables profiles and logincookies when user passwords are changed.
Reporter | ||
Comment 1•24 years ago
|
||
eval for 2.12
Assignee: tara → cyeh
Summary: cookie-based user authentication fails immediately after password change → cookie-based user authentication fails immediately after password change
Whiteboard: 2.12
Comment 3•24 years ago
|
||
Bug 20122 would fix this. Note that I personally think it is a good thing for changing your password to automatically log you out, so I would say WONTFIX...
Comment 4•24 years ago
|
||
I want to think about the behavior of this some more. Moving off 2.12 list.
Whiteboard: 2.12
Comment 6•23 years ago
|
||
Dave, Myk, is this still a problem in the new world?
Target Milestone: --- → Bugzilla 2.16
Comment 7•23 years ago
|
||
Yes. I don't see any reason you can't stay logged in after changing your password. If you just changed it you obviously know the new one, so why make them type it a third time?
Updated•23 years ago
|
Comment 8•23 years ago
|
||
-> Bugzilla product
Assignee: justdave → myk
Component: Bugzilla → User Accounts
Product: Webtools → Bugzilla
Version: other → unspecified
Comment 9•23 years ago
|
||
We are currently trying to wrap up Bugzilla 2.16. We are now close enough to release time that anything that wasn't already ranked at P1 isn't going to make the cut. Thus this is being retargetted at 2.18. If you strongly disagree with this retargetting, please comment, however, be aware that we only have about 2 weeks left to review and test anything at this point, and we intend to devote this time to the remaining bugs that were designated as release blockers.
Target Milestone: Bugzilla 2.16 → Bugzilla 2.18
Comment 10•22 years ago
|
||
I fixed this as part of bug 95732. Changing the password now logs you out of everywhere except the browser where you changed the password from.
Comment 11•22 years ago
|
||
fixing incorrect milestones on fixed bugs.
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•