The cryptpassword field in the table logincookies and cryptpassword field in the table profiles go out of sync immediately after a password change. This causes an authentication failure in the cookie based user authentication, forcing the user to have to log on again (right after they've changed their passwords). When the user logs on, a new cookie (which reflects the changed password) is set, and the cookie-based authentication mechanism works again. This is not a serious bug. It is just a bit annoying for users to have to retype usernames and passwords immediately after they've just typed them in (in the change password process). Steps to reproduce: - log in - go to the edit prefs page (userprefs.cgi) - on the account settings bank, change your password (fill in old password, new password, re-enter new password and click on submit) - Bugzilla comes back with a message to the effect that the changes have been saved - click on any of the links where authentication is required (e.g. enter_bug.cgi, any of the other banks on user preferences - e.g. email settings) - Bugzilla requests reauthentication of the user (The SQL statement in the subroutine quietly_check_login in CGI.pl will set $ok to 0 if profiles.cryptpassword != logincookies.cryptpassword) Suggested fix: Add a few lines to the subroutine SaveAccount to sync the cryptpassword fields in the tables profiles and logincookies when user passwords are changed.
Created attachment 10681 [details] [diff] [review] Suggested patch to fix this bug (diff is against CGI.pl 1.67 22 June 2000)
eval for 2.12
Assignee: tara → cyeh
Summary: cookie-based user authentication fails immediately after password change → cookie-based user authentication fails immediately after password change
Bug 20122 would fix this. Note that I personally think it is a good thing for changing your password to automatically log you out, so I would say WONTFIX...
I want to think about the behavior of this some more. Moving off 2.12 list.
Taking all of cyeh's Bugzilla bugs.
Assignee: Chris.Yeh → justdave
Dave, Myk, is this still a problem in the new world?
Target Milestone: --- → Bugzilla 2.16
Yes. I don't see any reason you can't stay logged in after changing your password. If you just changed it you obviously know the new one, so why make them type it a third time?
-> Bugzilla product
Assignee: justdave → myk
Component: Bugzilla → User Accounts
Product: Webtools → Bugzilla
Version: other → unspecified
We are currently trying to wrap up Bugzilla 2.16. We are now close enough to release time that anything that wasn't already ranked at P1 isn't going to make the cut. Thus this is being retargetted at 2.18. If you strongly disagree with this retargetting, please comment, however, be aware that we only have about 2 weeks left to review and test anything at this point, and we intend to devote this time to the remaining bugs that were designated as release blockers.
Target Milestone: Bugzilla 2.16 → Bugzilla 2.18
I fixed this as part of bug 95732. Changing the password now logs you out of everywhere except the browser where you changed the password from.
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Depends on: 95732
Resolution: --- → FIXED
fixing incorrect milestones on fixed bugs.
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
You need to log in before you can comment on or make changes to this bug.