Closed Bug 179192 Opened 22 years ago Closed 21 years ago

Change loginnetmask param to '24' on bmo

Categories

(bugzilla.mozilla.org :: General, enhancement)

Product:
bugzilla.mozilla.org
Component:
General
Platform:
x86
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: bbaetz, Assigned: myk)

Details

Currently, the bugzilla login cookies are tied to your IP address. This is done
for security reasons.

However, this has problems for people who are behind a rotating proxy, or use
NAT, or otherwise keep having their IP change under them - they keep having to
log in for various requests

Bug 20122 added a param to handle this, specifiing a number of significant bits
to the netmask. When this is < 32, the user has (when logging in) the option of
making the cookie tied to the particular IP, or being tied to that subnet. This
allows people in that situation to have the option of making their login
slightly less secure[1] in exchange for avoiding the constant need to relogin.

BMO should set this param to a reasonable number; I suggest 24, selecting the
user's current class C net.

[1] you could argue that sending your password over the net in plain text every
time you logged in was less secure than sending a cookie tied to slightly less
IP Addresses, mind you.
*** Bug 179770 has been marked as a duplicate of this bug. ***
ping? Are we going to do this?
I'm not sure we should be giving users the option to reduce their own security,
since that security is more about protecting other users from harm.  Still, this
is obviously useful for a bunch of our users; done.  We should have some
explanatory text for this, perhaps linked from the "Restrict this session
to this IP address" field label (bug 193741).
This got done a while back.
... so its FIXED
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
If you think this is security of any kind, you are deluding yourself. No offence
or anything. :-)

So long as Bugzilla uses plaintext authentication, it's insecure and susceptible
to trivial snooping attacks from people on the same network, and slightly less
trivial snooping attacks from people on other networks. The only way to make
Bugzilla truly secure would be to use SSL. Anything else is merely wallpapering
over the problem and giving everyone a false sense of security.
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
You need to log in before you can comment on or make changes to this bug.