Bug 7394
Summary: | Logs wrong people in | ||
---|---|---|---|
Product: | [Community] Bugzilla | Reporter: | Riley H Williams <rhw> |
Component: | Bugzilla General | Assignee: | David Lawrence <dkl> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 2.1r | CC: | linux |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 1999-12-14 15:58:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Riley H Williams
1999-11-28 17:46:24 UTC
Bugzilla uses cookies to allow pesistant connections without having to be validated every time you go to a new screen. Therefore the cookie is sometimes still in the browser's cookie file when you bring the browser back up after someone else has used it and Bugzilla goes ahead and uses it if it still valid. Until a better way of doing persistant login connections you will need to click on logout from the query screen to remove the cookie permenantly so noone else will login to Bugzilla under your name. I have added a new header to the top of each bugzilla page that states the current login name so you will be able to tell if someone elses cookie is still being used. I will also make it easier to find the logout option by putting it at the bottom of each page. Many thanks. Closed. Just a thought, but could the cookies be set to timeout after some reasonable time? I for one would have no problem with a system whereby I was required to log in again if I hadn't used Bugzilla during the last 120 minutes, for example. From an implementation point of view, this should amount to the following: 1. Each cookie specifies a timeout 120 minutes after issue. 2. When a browser presents a cookie that is more than 15 minutes old, we send a replacement cookie with a new timeout. As an example of this, I have just returned after four days without access to the Internet to find that I'm still logged on as far as Bugzilla is concerned. My opinion is that Bugzilla should at worst timeout cookies after 24 hours. I have talked to people here internally about doing this before with very little positive reactions. Developers here spend alot of time in Bugzilla and have voiced that it is annoying to have to relogin frequently so we set the cookie expiration for a really large number. Until I or someone else in the Bugzilla community figure out a easier way of authentication that implements well with the current Bugzilla way of doing things we will probably have to leave this one as is. |