Closed
Bug 791035
Opened 12 years ago
Closed 12 years ago
Cookie lifetime should extend beyond session when authenticated via Persona login
Categories
(bugzilla.mozilla.org Graveyard :: Extensions: Persona, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jrgm, Assigned: gerv)
References
()
Details
This is a follow-on from https://github.com/mozilla/browserid/issues/2446 :jrgm - https://github.com/mozilla/browserid/issues/2446#issuecomment-8356865 When authenticating to b.m.o with persona it issues session scoped login cookies from bugzilla.mozilla.org. If you authenticate using username + password, cookie expiry is set to year 2038. So on restart when authed with persona you have to pop the dialog again which is a nuisance, but a restart with username+password just let's you back in automatically. Is this a policy decision for the b.m.o RP integration, or unintended? @gerv? :gerv - https://github.com/mozilla/browserid/issues/2446#issuecomment-8532438 @jrgm: I did not consider cookie lifetime specifically when designing the integration, so I'd have to say it was unintended. That doesn't mean it's the wrong decision, of course :-) Please file a bug in BMO in the "bugzilla.mozilla.org" product to cover this issue, and assign it to me in the first instance. :lloyd - https://github.com/mozilla/browserid/issues/2446#issuecomment-8535161 thanks for chiming in @gerv - please let us know how we can help, people have been complaining about session duration on bugzilla and you have full access to any of the team to get this fixed!
see also bug 747738
Assignee | ||
Comment 2•12 years ago
|
||
From the other bug, it looks like we need to switch APIs. I'm happy to add this to my queue, but my queue is very long, and if someone else wants to take it on, that would be awesome. :-) Gerv
Comment 3•12 years ago
|
||
(In reply to Gervase Markham [:gerv] from comment #2) > From the other bug, it looks like we need to switch APIs. I'm happy to add > this to my queue, but my queue is very long, and if someone else wants to > take it on, that would be awesome. :-) > > Gerv I am happy to take it on but it will be the next quarter as we are book for a few more weeks ourselves. dkl
Assignee | ||
Comment 4•12 years ago
|
||
We've misdiagnosed the problem here. I don't think that fixing this requires a change of BrowserID API. If I log in to my local copy of bmo-4.0 using a test account, I get cookies which expire in 2038. If I log in to bugzilla.mozilla.org, I get session cookies. This is because the "rememberlogin" parameter on bugzilla.mozilla.org is set to "defaulton" and on my local install it's set to "on". The code concerned is in Cookie.pm: # Remember cookie only if admin has told so # or admin didn't forbid it and user told to remember. if ( Bugzilla->params->{'rememberlogin'} eq 'on' || (Bugzilla->params->{'rememberlogin'} ne 'off' && $input_params->{'Bugzilla_remember'} && $input_params->{'Bugzilla_remember'} eq 'on') ) { # Not a session cookie, so set an infinite expiry $cookieargs{'-expires'} = 'Fri, 01-Jan-2038 00:00:00 GMT'; } We weren't passing the Bugzilla_remember parameter. I've checked in a patch to the master BrowserID extension repo which makes us do that, and I can confirm that with the patch, we get 2038 cookies when the requirelogin parameter is set to "defaulton". dkl/glob: can you pull that change into the bmo-4.0 repo for the next BMO push day? Thanks, Gerv
nice find! Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.0/ modified extensions/BrowserID/template/en/default/hook/account/auth/login-additional_methods.html.tmpl modified extensions/BrowserID/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl Committed revision 8394. Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.2/ modified extensions/BrowserID/template/en/default/hook/account/auth/login-additional_methods.html.tmpl modified extensions/BrowserID/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl Committed revision 8420.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 6•12 years ago
|
||
When will the fix be released?
Comment 7•12 years ago
|
||
(In reply to Renato Silva from comment #6) > When will the fix be released? Should go out in the next code push either this thursday or next. BMO is on a weekly release train. dkl
Updated•6 years ago
|
Product: bugzilla.mozilla.org → bugzilla.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•