Open Bug 1005931 Opened 10 years ago Updated 6 years ago

Shared Bugzilla with SSL and mod_perl has login cookie issues

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
4.4.4
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: jrspam, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20140421221237

Steps to reproduce:

I've managed to set up a shared mod_perl Bugzilla environment using the PROJECT variable, and it works perfectly.

Now I'm trying to do the same thing on a different server, with the same basic setup, except that the hosts sharing Bugzilla are running SSL as well. They also have different, unique IP addresses.

Although this second setup basically works, I'm running into problems with login and cookies. Logins for the two Bugzillas seem to interfere with each other, causing repeated login prompts and 'bad password' messages. Apparently this is fairly common with certain Bugzilla setups, but note that I do not have that problem with my original shared mod_perl Bugzilla (the one without SSL).

I'm running Bugzilla 4.4.4. Bugzilla1 is bugs.domain1.com; its cookiedomain is '' and cookiepath is '/'. Bugzilla2 is bugs.domain2.com; its cookiedomain is '' and cookiepath is '/'. My browser is Firefox 29.

I believe Bugzilla defaults to sharing cookies, and that may be the root of the problem, and I've tried playing with both cookiepath and cookiedomain, with no success. For example, I tried setting the two cookiedomain values to 'bugs.domain1.com/' and 'bugs.domain2.com/', but that just resulted in no cookies being created at all.

Note: although normally when making changes to a Bugzilla/mod_perl setup I restart Apache to allow changes to kick in, my understanding is that this is not necessary when only the params files are changed (including changes to cookiedomain and cookiepath). I've confirmed this.

I used LiveHTTPHeaders to watch what happens with the login-related Bugzilla cookies. As long as the two Bugzillas are working normally (no spurious login prompts), the cookies being passed around make sense. Before login, the Bugzilla_login_request_cookie is set with a unique value. After login, Bugzilla_login_request_cookie is effectively cleared, and two new cookies are set: Bugzilla_login and Bugzilla_logincookie. When one of the Bugzillas suddenly prompts for login again, although I see no change in the cookies being passed to the server in the GET header, the server returns this:

Set-Cookie: Bugzilla_login_request_cookie=<new value>; path=/; secure; HttpOnly

It looks like something is making Bugzilla think the user is no longer logged in, and Bugzilla is responding by setting a new value for Bugzilla_login_request_cookie, which triggers the login process again.


Actual results:

Bugzilla prompts for login intermittently after the user is already logged in. Oddly, it doesn't seem to always be necessary to log in again. Usually, just repeating whatever navigation was being attempted (e.g. click on 'Browse') will work.


Expected results:

Bugzilla should consistently remember a user's login, even when it's a shared install, using mod_perl and SSL.
Is urlbase (and/or sslbase) different in both installations? Login cookies should have a different host/domain for each installation and so shouldn't be able to interfere.
Bugzilla1:
  urlbase: http://bugs.domain1.com/
  sslbase: https://bugs.domain1.com/
  sslredirect: on
  cookiepath: '/'
  cookiedomain: ''
  strict_transport_security: this_domain_only

Bugzilla2:
  urlbase: http://bugs.domain2.com/
  sslbase: https://bugs.domain2.com/
  sslredirect: on
  cookiepath: '/'
  cookiedomain: ''
  strict_transport_security: this_domain_only
The documentation says Bugzilla only supports a single installation on mod_perl, and if you need to host more than one on the same server, only one of them can use mod_perl.  The stated reason for this is because mod_perl keeps things loaded in memory, and the Bugzilla::* perl modules cache things (probably including login cookies), and those caches will collide with each other since mod_perl doesn't separate the perl module caches by domain.
(In reply to Dave Miller [:justdave] (justdave@bugzilla.org) from comment #3)
> The documentation says Bugzilla only supports a single installation on mod_perl

Right. But this is a shared installation of Bugzilla. Unless this somehow doesn't qualify as a shared installation, perhaps due to the two Bugzillas having different IP addresses.

I'm actually using the same setup - minus SSL and with a common IP address - on another server, and it works great. In other words, I have another shared install of Bugzilla using mod_perl for both Bugzillas and having no trouble at all with it. That other setup looks like this:

Bugzilla1:
  urlbase: http://bugs.domain.com/
  cookiepath: '/'
  cookiedomain: ''

Bugzilla2:
  urlbase: http://bugs2.domain.com/
  cookiepath: '/'
  cookiedomain: ''

I've confirmed that mod_perl is working for both Bugzillas, and I can use both side by side without any cookie problems on this other setup.
I tried a few more things, including setting cookiedomain to bugs.domain1.com and bugs.domain2.com, clearing both logincookies tables, and removing some unnecessary lines from the Apache configurations. No improvement, although tests seem to confirm that as long as only one of the Bugzillas is being used, it will work as expected; once the second Bugzilla starts being used, the first starts randomly prompting for login.
Update: In my most recent attempt to make this work, I appear to have been successful. It's not entirely clear why it's working now, but I know there have been some changes to Bugzilla's cookies, which might be helping. Also, this latest attempt was on a totally different server, where things are set up a bit differently, with one important difference being that both shared Bugzillas have the same IP address.

I will continue to update this bug as I learn more, but for now, it seems like this is not (or is no longer) an issue.
Hi there Buddy. I am using Mozilla for a long time and recently We know that Google has announced that Sites without SSL will show an error of NOT SECURE in URL Section. Now recently I have Moved my Site from Namecheap to Godday with SSL certificate (Site- https://www.eaadhar.download/ ) Everything was OK. But when I open the site in Mozilla It still shows that SITE IS NOT SECURE. Why ? is there any Bug in Mozilla version? Kindly help. You can check the URL also.
Thanks.
(In reply to mike from comment #7)
> Hi there Buddy. I am using Mozilla for a long time

Sorry to disappoint you, but this bug report is about the Mozilla software called Bugzilla. It sounds like you are having a problem with the Firefox web browser. You can report Firefox bugs on this web site, but you'll have to select the appropriate product (Firefox, not Bugzilla). However, I think it's more likely that you'll find help if you report your problem to your web host, which according to your report is Godaddy.
You need to log in before you can comment on or make changes to this bug.