Bug 1405438

Summary: Production cookies being sent to sub-domains
Product: [Community] Bugzilla Reporter: Michael Simacek <msimacek>
Component: User InterfaceAssignee: PnT DevOps Devs <hss-ied-bugs>
Status: CLOSED NEXTRELEASE QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0CC: huiwang, jmcdonal, mtyson, qgong, vkrizan, yijli
Target Milestone: 5.0   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-19 04:45:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Simacek 2016-12-16 14:04:00 UTC 
Description of problem:
When I'm not logged in and go to advanced search, I can select a classification, but trying to select a product throws an error.

How reproducible:
always on https://beta.bugzilla.redhat.com/bugzilla/query.cgi

Steps to Reproduce:
1. if logged in, log out
2. go to advanced search, select a classification (e.g. Fedora)
3. click into the product field

Actual results:
Error: The cookies or token provide were not valid or have expired. You may login again to get new cookies or a new token.

Expected results:
It should show a list of products without requiring auth.
Comment 1 Matt Tyson 🤬 2016-12-18 23:56:10 UTC 
This is happening because the browser is using a login cookie that does not exist in the database.

When the Bugzilla RPC interface goes to authenticate that cookie, an exception is thrown as the cookie does not exist.

Production bugzilla seems to have this same issue as well.

I suspect what is happening in this case is that because the beta site logincookie is gone (beta.bugzilla.redhat.com) the browser is falling back to the production cookie (bugzilla.redhat.com)

This problem is probably coming about because of the confusion of domain names.
Comment 2 Matt Tyson 🤬 2017-01-09 03:19:20 UTC 
*** Bug 1409700 has been marked as a duplicate of this bug. ***
Comment 3 Jeff Fearn 🐞 2017-01-09 22:55:03 UTC 
*** Bug 1411376 has been marked as a duplicate of this bug. ***
Comment 6 Jeff Fearn 🐞 2017-01-18 08:42:13 UTC 
This is apparently all working as per the RFC.

http://erik.io/blog/2014/03/04/definitive-guide-to-cookie-domains/

It appears we should empty the domain in the production cookies and that will make it so browsers don't send the production cookies to sub-domains.
Comment 7 Jeff Fearn 🐞 2017-01-18 12:18:17 UTC 
*** Bug 1406270 has been marked as a duplicate of this bug. ***
Comment 8 Jeff Fearn 🐞 2017-01-19 04:45:41 UTC 
When we go to the public beta we will rename the server so it's not a sub-domain of production.