Description of problem: While using RH Bugzilla from behind the Dell corporate firewall (proxy), Bugzilla logs you out every 30 secs or less of inactivity. This makes using RH Bugzilla completely *unusable*. Works great from home when directly connecting to the Internet. Version-Release number of selected component (if applicable): 2.18-rh How reproducible: Moderate Steps to Reproduce: 1. Login to RH Bugzilla from behind a firewall such as foo.bar.com with your @dell.com account 2. Stay inactive for ~ 30 secs 3. Try to access some (non-public) bug that requires you to remain logged in Actual results: Bugzilla takes you to the login page and makes you login again Expected results: Should stay logged in and Bugzilla should take you the issue Additional info This is a more recent observation (past 3 mos. perhaps) and didn't use to happen before that. This only happens with RH's version of Bugzilla. Other public Bugzillas (Xorg, Kernel, SuSE etc.) work fine from behind the firewall and keep you logged in.
It's worth noting that Dell's proxy servers are actually a farm, with round robin DNS set to 30 seconds. So every 30 seconds the clients will be using a different proxy. So client IP-based cookies for authentication won't work well, and is most likely the cause.
Well that would be the problem in this case. Is this something that has changed recently since (as far as I know) dell.com accounts have been working up until recently? Nothing has changed on the Bugzilla code side for quite a while now.
no change here, it's been broken for a long time. Amit's just feeling the most pain right now.
Ok, I changed the configuration so that it will accept an IP that remains within a /24. But perhaps I should have asked Matt how big is the round robin pool first?
How about a /16 :-) Seriously. The Dell Austin pool looks like it bounces between 143.166.99.x and 143.166.217.x.
ok, done.
Still working from home. Will provide feedback once I'm behind the firewall (later today).
Amit, putting this in NEEDINFO pending your response to "Does this change resolve the problem?" Also, I'm curious why Dell has problems with Red Hat's Bugzilla but not the Novelll/SuSE or kernel.org versions? Is Red Hat "avant garde" or in the "Dark Ages" regarding our Bugzilla version compared to the other two examples?
It is a configuration option in all bugzillas. Ours was configured to be more strict than others. AIUI this is the first complaint we have had about it.
Those may be using a newer version of Bugzilla which allows user to disable the IP address tracking feature of Bugzilla as a preference. This causes a slight loss in security as it makes it a little easier for someone to spoof another's account. We do not allow this to be disabled currently.
So, as of this morning (brand new), bugzilla login page has an option exposed to users labeled "Restrict this session to this IP address". This is checked by default. If you login with this option checked, the behavior is still as before and frequent (every 30 secs) logins are required. Unchecking the box, makes your sessions persist and sessions persist like a charm!! Thanks for implementing. We can close this request now. Now, if we could only get some of the same magic from Dave/Kevin in our (other) master bugzilla woes tracker i.e. bz# 213248, that would be grrrreat!!!!! ;-)