Closed Bug 228706 Opened 21 years ago Closed 21 years ago

bugzilla cookie expiration dates are invalid including login cookie

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: mfoster167, Assigned: justdave)

Details

(Whiteboard: [fixed in 2.16.5] [does not affect trunk])

Attachments

(1 file)

Patch v1
7.12 KB, patch
myk
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Build Identifier: 


I didn't see this filed previously.  Bugzilla sets the login cookie to expire 
at invalid dates/times, also, IE doesn't seem to like the trick of a past 
expiration date as a way to generate a session/login cookie.  Fixing these 
expire times seems to fix a lot of cookie login problems, will test the fix 
again with another bugzilla installation.

expires=Sun, 30-Jun-2029 00:00:00 GMT [<-- note that 30 jun 2029 is a saturday] 
expires=Sun, 30-Jun-1980 00:00:00 GMT [<-- note that 30 jun 1980 is a monday]

Changing the 1980 expire time which the login/session cookie uses to some valid 
date in the future fixes IE related login problems but it also may decrease 
bugzilla security (logins may never expire).  Ideally, bugzilla should rely on 
a server side login timeout, not the client side. 

And yes my users and I are not going to different URLs/hosts each time which 
might cause this problem.

      June 2029
Su Mo Tu We Th Fr Sa
                1  2
 3  4  5  6  7  8  9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

      June 1980
Su Mo Tu We Th Fr Sa
 1  2  3  4  5  6  7
 8  9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30


Reproducible: Always

Steps to Reproduce:
1.
2.
3.
exactly what problem are you seeing?

The 1980 is set when you LOG OUT, meaning it's trying to convince the browser to
immediately delete the cookie.

There is a server-side timeout, currently 30 days from your last access.  You
can change this in CGI.pl in 2.16.x and in Bugzilla/Auth/Cookie.pm in 2.17.x
The cgis are explicitly trying to convince the browser to logout by setting a 
expiration date in the past?  Wouldn't it be easier to unset that cookie or 
prevent the server side from accepting that user's cookie further?  I guess the 
cookie already equals NULL so the former may be difficult.

I'm seeing users and myself constantly having to relogin after submitting a new 
bug or making changes to an existing bug.
there is no way to unset a cookie on the client.  That's why you set an
expiration date in the past.  And yes, we invalidate it on the server at the
same time.  That's called trying to not leave a mess. :)

See bug 220817 and see if the proposed docs there help you out any.
So you don't think the slightly invalid expiration dates matter?
Looking at the source now (2.17.6), it says "Tue, 15-Sep-1998 21:49:00 GMT"
everyplace it's trying to expire a cookie.

In 2.16.4 however, it's how you mentioned.  And yes, that looks very wrong.  Not
only is it the wrong day of the week, it's using a 2-digit year. :)  Is that 2080?

Guess what.  30-June-2080 is a Sunday. :)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [wanted for 2.16.5] [does not affect trunk]
Target Milestone: --- → Bugzilla 2.16
Just for reference, the 15-Sep-1998 date happens to coincide with the exact time
of the check-in of the Perl version of Bugzilla into CVS after it got ported
from TCL. :)  (which was also the first public release of Bugzilla, as version 2.0)
I changed it when I CGI.pm'd cookie handling. And yes, it is the beginning of
bz-in-perl which I used for the date.

I'd be really, really, really surprised if theinvalid dates broke anything.
noone has reported that before...
Attached patch Patch v1Splinter Review 

    
  

        Attachment #139309 -
        Flags: review?(myk)

    
    

    
  
Comment on attachment 139309 [details] [diff] [review]
Patch v1

Looks good, works as far as I can tell. r=myk

        Attachment #139309 -
        Flags: review?(myk) → review+

    
    

    
  
Checking in CGI.pl;
/cvsroot/mozilla/webtools/bugzilla/CGI.pl,v  <--  CGI.pl
new revision: 1.153.2.7; previous revision: 1.153.2.6
done
Checking in buglist.cgi;
/cvsroot/mozilla/webtools/bugzilla/buglist.cgi,v  <--  buglist.cgi
new revision: 1.169.2.12; previous revision: 1.169.2.11
done
Checking in colchange.cgi;
/cvsroot/mozilla/webtools/bugzilla/colchange.cgi,v  <--  colchange.cgi
new revision: 1.24.2.3; previous revision: 1.24.2.2
done
Checking in createaccount.cgi;
/cvsroot/mozilla/webtools/bugzilla/createaccount.cgi,v  <--  createaccount.cgi
new revision: 1.21.2.4; previous revision: 1.21.2.3
done
Checking in post_bug.cgi;
/cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v  <--  post_bug.cgi
new revision: 1.52.2.8; previous revision: 1.52.2.7
done
Checking in query.cgi;
/cvsroot/mozilla/webtools/bugzilla/query.cgi,v  <--  query.cgi
new revision: 1.98.2.2; previous revision: 1.98.2.1
done
Checking in relogin.cgi;
/cvsroot/mozilla/webtools/bugzilla/relogin.cgi,v  <--  relogin.cgi
new revision: 1.18.2.1; previous revision: 1.18
done

Status: NEW → RESOLVED
Closed: 21 years ago
Flags: approval+
OS: Windows 2000 → All
Hardware: PC → All
Resolution: --- → FIXED

    
  
Whiteboard: [wanted for 2.16.5] [does not affect trunk] → [fixed in 2.16.5] [does not affect trunk]
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: