Closed Bug 791035 Opened 12 years ago Closed 12 years ago

Cookie lifetime should extend beyond session when authenticated via Persona login

Categories

(bugzilla.mozilla.org Graveyard :: Extensions: Persona, defect)

Product:
bugzilla.mozilla.org Graveyard
Component:
Extensions: Persona
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jrgm, Assigned: gerv)

References

(
URL
)

Details

This is a follow-on from https://github.com/mozilla/browserid/issues/2446

:jrgm - https://github.com/mozilla/browserid/issues/2446#issuecomment-8356865

    When authenticating to b.m.o with persona it issues session scoped
    login cookies from bugzilla.mozilla.org. If you authenticate using
    username + password, cookie expiry is set to year 2038.

    So on restart when authed with persona you have to pop the dialog
    again which is a nuisance, but a restart with username+password just
    let's you back in automatically. Is this a policy decision for the
    b.m.o RP integration, or unintended? @gerv?

:gerv - https://github.com/mozilla/browserid/issues/2446#issuecomment-8532438

    @jrgm: I did not consider cookie lifetime specifically when designing
    the integration, so I'd have to say it was unintended. That doesn't
    mean it's the wrong decision, of course :-) Please file a bug in BMO
    in the "bugzilla.mozilla.org" product to cover this issue, and assign
    it to me in the first instance.

:lloyd - https://github.com/mozilla/browserid/issues/2446#issuecomment-8535161

    thanks for chiming in @gerv - please let us know how we can help,
    people have been complaining about session duration on bugzilla and
    you have full access to any of the team to get this fixed!
see also bug 747738
From the other bug, it looks like we need to switch APIs. I'm happy to add this to my queue, but my queue is very long, and if someone else wants to take it on, that would be awesome. :-)

Gerv
(In reply to Gervase Markham [:gerv] from comment #2)
> From the other bug, it looks like we need to switch APIs. I'm happy to add
> this to my queue, but my queue is very long, and if someone else wants to
> take it on, that would be awesome. :-)
> 
> Gerv

I am happy to take it on but it will be the next quarter as we are book for a few more weeks ourselves.

dkl
We've misdiagnosed the problem here. I don't think that fixing this requires a change of BrowserID API. If I log in to my local copy of bmo-4.0 using a test account, I get cookies which expire in 2038. If I log in to bugzilla.mozilla.org, I get session cookies. 

This is because the "rememberlogin" parameter on bugzilla.mozilla.org is set to "defaulton" and on my local install it's set to "on". The code concerned is in Cookie.pm:

    # Remember cookie only if admin has told so
    # or admin didn't forbid it and user told to remember.
    if ( Bugzilla->params->{'rememberlogin'} eq 'on' ||
         (Bugzilla->params->{'rememberlogin'} ne 'off' &&
          $input_params->{'Bugzilla_remember'} &&
          $input_params->{'Bugzilla_remember'} eq 'on') ) 
    {
        # Not a session cookie, so set an infinite expiry
        $cookieargs{'-expires'} = 'Fri, 01-Jan-2038 00:00:00 GMT';
    }

We weren't passing the Bugzilla_remember parameter. I've checked in a patch to the master BrowserID extension repo which makes us do that, and I can confirm that with the patch, we get 2038 cookies when the requirelogin parameter is set to "defaulton".

dkl/glob: can you pull that change into the bmo-4.0 repo for the next BMO push day?

Thanks,

Gerv
URL: 
nice find!

Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.0/
modified extensions/BrowserID/template/en/default/hook/account/auth/login-additional_methods.html.tmpl
modified extensions/BrowserID/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl
Committed revision 8394.

Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.2/
modified extensions/BrowserID/template/en/default/hook/account/auth/login-additional_methods.html.tmpl
modified extensions/BrowserID/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl
Committed revision 8420.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
When will the fix be released?
(In reply to Renato Silva from comment #6)
> When will the fix be released?

Should go out in the next code push either this thursday or next. BMO is on a weekly release train.

dkl
Product: bugzilla.mozilla.org → bugzilla.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.