Allow renaming Bugzilla_logincookie and Bugzilla_login to support __Host prefixes

NEW
Unassigned

Status

()

bugzilla.mozilla.org
General
P3
normal
8 months ago
8 months ago

People

(Reporter: dylan, Unassigned)

Tracking

Production

Details

(URL)

(Reporter)

Description

8 months ago
> Cookies with a name starting with __Host- must be set with the secure flag, must
> be from a secure page (HTTPS), must not have a domain specified (and therefore 
> aren't send to subdomains) and the path must be "/".

There are no pressing security concerns for this right now
(it doesn't stop any known issues) but it would a "nice to have".
Even after this is implemented, turning it on would require additional administrative and communications work, as we'd invalidate everyone's current login.

For someone looking at working on this, it would involve adding a new setting
to data/params which means editing Bugzilla/Config/Advanced.pm and template/en/default/admin/params/advanced.html.tmpl.

Look for inspiration in bug 594990 / https://github.com/mozilla-bteam/bmo/commit/f64efa79bd78ab59cb65588feacf93e0de475e48 

Implementing this could go two ways: Edit Bugzilla/CGI.pm's cookies(), cookie(), remove_cookie(), and send_cookie() methods to always prefix the cookie name with Bugzilla->params->{cookie_prefix}

OR

search  the code for all places where we access the cookies named Bugzilla_logincookie and Bugzilla_login and prefix *those* with the cookie_prefix.

This later approach might be easier.
I suggest Bugzilla/CGI.pm, so that you're not creating cookie name conflicts at every place where a cookie is named, when pulling from upstream.
You need to log in before you can comment on or make changes to this bug.