Closed
Bug 179192
Opened 22 years ago
Closed 21 years ago
Change loginnetmask param to '24' on bmo
Categories
(bugzilla.mozilla.org :: General, enhancement)
Tracking
()
RESOLVED
FIXED
People
(Reporter: bbaetz, Assigned: myk)
Details
Currently, the bugzilla login cookies are tied to your IP address. This is done for security reasons. However, this has problems for people who are behind a rotating proxy, or use NAT, or otherwise keep having their IP change under them - they keep having to log in for various requests Bug 20122 added a param to handle this, specifiing a number of significant bits to the netmask. When this is < 32, the user has (when logging in) the option of making the cookie tied to the particular IP, or being tied to that subnet. This allows people in that situation to have the option of making their login slightly less secure[1] in exchange for avoiding the constant need to relogin. BMO should set this param to a reasonable number; I suggest 24, selecting the user's current class C net. [1] you could argue that sending your password over the net in plain text every time you logged in was less secure than sending a cookie tied to slightly less IP Addresses, mind you.
Comment 1•22 years ago
|
||
*** Bug 179770 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 2•22 years ago
|
||
ping? Are we going to do this?
Assignee | ||
Comment 3•22 years ago
|
||
I'm not sure we should be giving users the option to reduce their own security, since that security is more about protecting other users from harm. Still, this is obviously useful for a bunch of our users; done. We should have some explanatory text for this, perhaps linked from the "Restrict this session to this IP address" field label (bug 193741).
Reporter | ||
Comment 4•21 years ago
|
||
This got done a while back.
Reporter | ||
Comment 5•21 years ago
|
||
... so its FIXED
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment 6•21 years ago
|
||
If you think this is security of any kind, you are deluding yourself. No offence or anything. :-) So long as Bugzilla uses plaintext authentication, it's insecure and susceptible to trivial snooping attacks from people on the same network, and slightly less trivial snooping attacks from people on other networks. The only way to make Bugzilla truly secure would be to use SSL. Anything else is merely wallpapering over the problem and giving everyone a false sense of security.
Updated•13 years ago
|
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
You need to log in
before you can comment on or make changes to this bug.
Description
•