Closed Bug 228706 Opened 21 years ago Closed 21 years ago

bugzilla cookie expiration dates are invalid including login cookie

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: mfoster167, Assigned: justdave)

Details

(Whiteboard: [fixed in 2.16.5] [does not affect trunk])

Attachments

(1 file)

Patch v1
7.12 KB, patch
myk
: review+
Details | Diff | Splinter Review
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Build Identifier: I didn't see this filed previously. Bugzilla sets the login cookie to expire at invalid dates/times, also, IE doesn't seem to like the trick of a past expiration date as a way to generate a session/login cookie. Fixing these expire times seems to fix a lot of cookie login problems, will test the fix again with another bugzilla installation. expires=Sun, 30-Jun-2029 00:00:00 GMT [<-- note that 30 jun 2029 is a saturday] expires=Sun, 30-Jun-1980 00:00:00 GMT [<-- note that 30 jun 1980 is a monday] Changing the 1980 expire time which the login/session cookie uses to some valid date in the future fixes IE related login problems but it also may decrease bugzilla security (logins may never expire). Ideally, bugzilla should rely on a server side login timeout, not the client side. And yes my users and I are not going to different URLs/hosts each time which might cause this problem. June 2029 Su Mo Tu We Th Fr Sa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 June 1980 Su Mo Tu We Th Fr Sa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Reproducible: Always Steps to Reproduce: 1. 2. 3.
exactly what problem are you seeing? The 1980 is set when you LOG OUT, meaning it's trying to convince the browser to immediately delete the cookie. There is a server-side timeout, currently 30 days from your last access. You can change this in CGI.pl in 2.16.x and in Bugzilla/Auth/Cookie.pm in 2.17.x
The cgis are explicitly trying to convince the browser to logout by setting a expiration date in the past? Wouldn't it be easier to unset that cookie or prevent the server side from accepting that user's cookie further? I guess the cookie already equals NULL so the former may be difficult. I'm seeing users and myself constantly having to relogin after submitting a new bug or making changes to an existing bug.
there is no way to unset a cookie on the client. That's why you set an expiration date in the past. And yes, we invalidate it on the server at the same time. That's called trying to not leave a mess. :) See bug 220817 and see if the proposed docs there help you out any.
So you don't think the slightly invalid expiration dates matter?
Looking at the source now (2.17.6), it says "Tue, 15-Sep-1998 21:49:00 GMT" everyplace it's trying to expire a cookie. In 2.16.4 however, it's how you mentioned. And yes, that looks very wrong. Not only is it the wrong day of the week, it's using a 2-digit year. :) Is that 2080? Guess what. 30-June-2080 is a Sunday. :)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [wanted for 2.16.5] [does not affect trunk]
Target Milestone: --- → Bugzilla 2.16
Just for reference, the 15-Sep-1998 date happens to coincide with the exact time of the check-in of the Perl version of Bugzilla into CVS after it got ported from TCL. :) (which was also the first public release of Bugzilla, as version 2.0)
I changed it when I CGI.pm'd cookie handling. And yes, it is the beginning of bz-in-perl which I used for the date. I'd be really, really, really surprised if theinvalid dates broke anything. noone has reported that before...
Attached patch Patch v1Splinter Review
Attachment #139309 - Flags: review?(myk)
Comment on attachment 139309 [details] [diff] [review] Patch v1 Looks good, works as far as I can tell. r=myk
Attachment #139309 - Flags: review?(myk) → review+
Checking in CGI.pl; /cvsroot/mozilla/webtools/bugzilla/CGI.pl,v <-- CGI.pl new revision: 1.153.2.7; previous revision: 1.153.2.6 done Checking in buglist.cgi; /cvsroot/mozilla/webtools/bugzilla/buglist.cgi,v <-- buglist.cgi new revision: 1.169.2.12; previous revision: 1.169.2.11 done Checking in colchange.cgi; /cvsroot/mozilla/webtools/bugzilla/colchange.cgi,v <-- colchange.cgi new revision: 1.24.2.3; previous revision: 1.24.2.2 done Checking in createaccount.cgi; /cvsroot/mozilla/webtools/bugzilla/createaccount.cgi,v <-- createaccount.cgi new revision: 1.21.2.4; previous revision: 1.21.2.3 done Checking in post_bug.cgi; /cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v <-- post_bug.cgi new revision: 1.52.2.8; previous revision: 1.52.2.7 done Checking in query.cgi; /cvsroot/mozilla/webtools/bugzilla/query.cgi,v <-- query.cgi new revision: 1.98.2.2; previous revision: 1.98.2.1 done Checking in relogin.cgi; /cvsroot/mozilla/webtools/bugzilla/relogin.cgi,v <-- relogin.cgi new revision: 1.18.2.1; previous revision: 1.18 done
Status: NEW → RESOLVED
Closed: 21 years ago
Flags: approval+
OS: Windows 2000 → All
Hardware: PC → All
Resolution: --- → FIXED
Whiteboard: [wanted for 2.16.5] [does not affect trunk] → [fixed in 2.16.5] [does not affect trunk]
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: