Bug 7394

Summary:	Logs wrong people in
Product:	[Community] Bugzilla	Reporter:	Riley H Williams <rhw>
Component:	Bugzilla General	Assignee:	David Lawrence <dkl>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	2.1r	CC:	linux
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	1999-12-14 15:58:52 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Riley H Williams 1999-11-28 17:46:24 UTC

Bugzilla appears to have a problem connected with logging people in when
they post bugs. The situation here probably isn't a common one, and
doubtless contributes to the occurrance of this problem, so I will describe
it:

First, the computers here are located in computing laboratories, with
perhaps a dozen computers in each laboratory. These computers are equipped
with "Windows NT Workstation 4.0" which I am currently using due to the
particular homework I am working on. As is probably common with university
computing laboratories, different people get to use each machine at
different times, and it is not uncommon for the machines to not get
rebooted between users.

I have just reported a bug relating to the initscripts package, and I was
never asked for a login when doing so. Having posted the bug report, I note
that the "Reporter" listed is not me, but "linux.uk" instead. I
presume that the owner of that address was the previous user of this
particular system to use Bugzilla, and have put him/her in the CC list for
this report because of this fact.

I do not know whether the system has been rebooted between him/her using
this system to use Bugzilla and my doing so, nor do I have any means of
finding out whether such is the case as I do not admin these systems.

I would suggest that an option be added to the user status record such that
users who may be susceptible to this problem can indicate such, and
Bugzilla takes extra measures to ensure that the correct user is allocated
when this option is set.

Comment 1 David Lawrence 1999-11-29 17:36:59 UTC

Bugzilla uses cookies to allow pesistant connections without having to be
validated every time you go to a new screen. Therefore the cookie is sometimes
still in the browser's cookie file when you bring the browser back up after
someone else has used it and Bugzilla goes ahead and uses it if it still valid.
Until a better way of doing persistant login connections you will need to click
on logout from the query screen to remove the cookie permenantly so noone else
will login to Bugzilla under your name. I have added a new header to the top of
each bugzilla page that states the current login name so you will be able to
tell if someone elses cookie is still being used. I will also make it easier to
find the logout option by putting it at the bottom of each page.

Comment 2 Riley H Williams 1999-11-29 18:47:59 UTC

Many thanks. Closed.

Comment 3 Riley H Williams 1999-12-04 15:22:59 UTC

Just a thought, but could the cookies be set to timeout after some reasonable
time? I for one would have no problem with a system whereby I was required to
log in again if I hadn't used Bugzilla during the last 120 minutes, for example.

From an implementation point of view, this should amount to the following:

 1. Each cookie specifies a timeout 120 minutes after issue.

 2. When a browser presents a cookie that is more than 15 minutes old, we
    send a replacement cookie with a new timeout.

As an example of this, I have just returned after four days without access to
the Internet to find that I'm still logged on as far as Bugzilla is concerned.
My opinion is that Bugzilla should at worst timeout cookies after 24 hours.

Comment 4 David Lawrence 1999-12-14 15:58:59 UTC

I have talked to people here internally about doing this before with very little
positive reactions. Developers here spend alot of time in Bugzilla and have
voiced that it is annoying to have to relogin frequently so we set the cookie
expiration for a really large number. Until I or someone else in the Bugzilla
community figure out a easier way of authentication that implements well with
the current Bugzilla way of doing things we will probably have to leave this one
as is.