remember login feature not working sessions never expire even though set to off after Upgrade to 4.4.6

RESOLVED INVALID

Status

()

Bugzilla
Administration
RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: mdemart1, Unassigned)

Tracking

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36

Steps to reproduce:

tried to reset the "remember login" feature again setting to off.   This worked correctly in our previous 2x version.  Not working after the upgrade to 4.4.6.


Actual results:

sessions never expire even after 24 hours.


Expected results:

Sessions should expire based on the default timeout.

Comment 1

3 years ago
Exact steps to reproduce, step by step without leaving room for interpretation, are highly welcome.

Comment 2

3 years ago
This doesn't look like a Bugzilla bug but rather a web browser bug, because I can reproduce the issue with Firefox, but not with Konqueror. Firefox correctly reports that the cookie must last till the end of the session, but on restart, the login cookie is still there (and of course usable). I can also reproduce with Bugzilla 2.20, so this is not a new issue.
(Reporter)

Comment 3

3 years ago
We are having this issue in Chrome for the most part.   
This was working correctly in the old 2x for us.  We have not upgraded any OS or browsers etc.
What would be best approach here?

Comment 4

3 years ago
I was right about this being browser-specific. For Firefox, this was discussed in bug 345345, which is marked as wontfix. Saving and restoring session cookies on restart is considered a feature, not a bug. We have no control on this. For Chrome, this was discussed in https://code.google.com/p/chromium/issues/detail?id=128513, with exactly the same conclusion and resolution. So if you don't want your login cookies to persist, you must explicitly click "Log Out".
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
(Reporter)

Comment 5

3 years ago
We just want the BGZ app to time out.  In your CGI.pm file there exists code :

Likely code at play:

CGI.pm in Bugzilla or Bugzilla/Auth
 

    if (!$user->id && $user->authorizer->can_login
        && !$self->cookie('Bugzilla_login_request_cookie'))
    {
        my %args;
        $args{'-secure'} = 1 if Bugzilla->params->{ssl_redirect};

        $self->send_cookie(-name => 'Bugzilla_login_request_cookie',
                           -value => generate_random_password(),
                           -httponly => 1,
                           %args);



This code appears consistent with CGI::Cookie and thus if we require this all we need to do is add:

                      -expires => '+4h',
                      -max-age => '+4h',

However, I'm not able to get any parameters to work correctly or consistantly. I believe there is a some session HASH that writes a token as well to the DB.  Bottom line can we or cant we set a session timeout by customizing the CGI module(s) ?
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---

Comment 6

3 years ago
This won't work. We already set cookies to expire once your web browser is closed (if the remember login feature is turned off). As I said in comment 2 and in comment 4, this is a browser "feature" to retain all cookies and to never purge them.

Login cookies do expire after 30 days of inactivity. The reason for such a long time is that it's very common to go back to Bugzilla again within the next few days or weeks, and we don't want to invalidate cookies too quickly. Purging login cookies after only 4 hours as you suggested is definitely too short, and many developers or heavy Bugzilla users would hate you, including myself. :) Internet Explorer and Konqueror correctly follow the Expire date of cookies and clear them on reboot. Firefox and Chrome do not on purpose, see comment 4.

The only solution for you is to click the Log Out link which will invalidate your login cookies, so that even if they remain stored in your web browser, Bugzilla won't recognize them.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.