cookie-based user authentication fails immediately after password change

RESOLVED FIXED in Bugzilla 2.16



18 years ago
6 years ago


(Reporter: C.Ooi, Assigned: myk)


Bugzilla 2.16




(1 attachment)



18 years ago
The cryptpassword field in the table logincookies and cryptpassword field in the
table profiles go out of sync immediately after a password change.  This causes
an authentication failure in the cookie based user authentication, forcing the
user to have to log on again (right after they've changed their passwords).  

When the user logs on, a new cookie (which reflects the changed password) is
set, and the cookie-based authentication mechanism works again.

This is not a serious bug.  It is just a bit annoying for users to have to
retype usernames and passwords immediately after they've just typed them in (in
the change password process).

Steps to reproduce:
 - log in
 - go to the edit prefs page (userprefs.cgi)
 - on the account settings bank, change your password (fill in old password, new
password, re-enter new password and click on submit)
 - Bugzilla comes back with a message to the effect that the changes have been
 - click on any of the links where authentication is required (e.g.
enter_bug.cgi, any of the other banks on user preferences - e.g. email settings)
 - Bugzilla requests reauthentication of the user 

(The SQL statement in the subroutine quietly_check_login in will set $ok
to 0 if profiles.cryptpassword != logincookies.cryptpassword)
Suggested fix:
Add a few lines to the subroutine SaveAccount to sync the cryptpassword fields
in the tables profiles and logincookies when user passwords are changed.

Comment 1

18 years ago
Created attachment 10681 [details] [diff] [review]
Suggested patch to fix this bug (diff is against 1.67 22 June 2000)

Comment 2

18 years ago
eval for 2.12
Assignee: tara → cyeh
Summary: cookie-based user authentication fails immediately after password change → cookie-based user authentication fails immediately after password change
Whiteboard: 2.12
Bug 20122 would fix this. Note that I personally think it is a good thing for
changing your password to automatically log you out, so I would say WONTFIX...

Comment 4

18 years ago
I want to think about the behavior of this some more.  Moving off 2.12 list.
Whiteboard: 2.12
Taking all of cyeh's Bugzilla bugs.
Assignee: Chris.Yeh → justdave
Dave, Myk, is this still a problem in the new world?
Target Milestone: --- → Bugzilla 2.16
Yes.  I don't see any reason you can't stay logged in after changing your 
password.  If you just changed it you obviously know the new one, so why make 
them type it a third time?
Keywords: patch, review
-> Bugzilla product
Assignee: justdave → myk
Component: Bugzilla → User Accounts
Product: Webtools → Bugzilla
Version: other → unspecified
We are currently trying to wrap up Bugzilla 2.16.  We are now close enough to
release time that anything that wasn't already ranked at P1 isn't going to make
the cut.  Thus this is being retargetted at 2.18.  If you strongly disagree with
this retargetting, please comment, however, be aware that we only have about 2
weeks left to review and test anything at this point, and we intend to devote
this time to the remaining bugs that were designated as release blockers.
Target Milestone: Bugzilla 2.16 → Bugzilla 2.18
I fixed this as part of bug 95732. Changing the password now logs you out of
everywhere except the browser where you changed the password from.
Last Resolved: 17 years ago
Depends on: 95732
Resolution: --- → FIXED
fixing incorrect milestones on fixed bugs.
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.