It would be nice to some XMLRPC API to request change of the session id for active session without having to provide user login and password. It currently only seems possible to achieve cookie change via User.logout + User.login. Motivation: Several scripts / bots exist that need to talk to bugzilla. Traditionally, they have username and password stored in plain text in some configuration or source file. That may not always be desired. Another possibility is to change scripts to store session cookie issued by bugzilla in some cookie file (both perl and python provide ready to use libraries for handling Netscape-style cookie files, and support in SOAP/XMLRPC libraries for using those cookie handling modules). However, if such cookie is leaked / stolen, it can be used until explicit logout is requested in the context of the BZ session (i.e. in the context of automated script, it most likely remain valid forever / until next forced password reset). It would be good to have a way (for the scripts that care) to invalidate session cookie at arbitrary time, without completely killing the session (that would require re-authentication). The idea is similar to PHP's session_regenerate_id() function. So any leaked / stolen cookie will be useless after some time (depending on the regenerate id request frequency from the script / bot).
Created attachment 330264 [details] Patch to allow XMLRPC client to regenerate cookie without username/password (v1) Attaching a patch that creates User.regenerate_cookie() which allows creating of a new session cookie if the user passes in a previous valid cookie. Requires the user to pass in the username as a param but not password. Please review. Dave
Comment on attachment 330264 [details] Patch to allow XMLRPC client to regenerate cookie without username/password (v1) Hey Dave, Patch looks good to me, I tested the function and it works good, just the pod section is not validating for me, and i wasn't sure were you fixing previous pod in it or just adding the pod for the new function? Thanks, Noura
Thanks for the review Noura. I fixed the POD errors mentioned. Tomas, you can see how the new method is used by checking out the API docs when this update is pushed live. https://bugzilla.redhat.com/docs/en/html/api/Bugzilla/WebService/User.html Dave
Ooops, this does not work quite as expected... ;( It seems to kill incorrect session. My test situation is: I'm logged in BZ in the browser, and also have a perl scripts that use HTTP::Cookies::Netscape to store session cookie, and valid cookie in cookie jar file (verified using User.valid_cookie()). When I call User.regenerate_cookie(), I can see the cookie changed in the cookie jar, scripts session remains valid. To check whether old cookie was properly invalidated, I hand-edited cookie file used by scripts and had set previous value of Bugzilla_logincookie. Calling User.valid_cookie() again shows that the old cookie is still accepted. Trying to access BZ via web browsers shows that my browser session / cookie was invalidated instead. Seems to be easily reproducible, calling User.regenerate_cookie() always kills my browser session, instead of killing old cookie used by scripts. Is there currently some way to figure out how many sessions are currently valid for some BZ account? Or a way to "kill all except current one", something similar to what gmail web ui has? Should I try to clamp my test scripts to some small test case that may help you?
Thomas, Can you try this test of yours on bz-web2-test.devel.redhat.com and see if a recent fix works for you? Thanks Dave
Tested on bz-web2-test. The good thing is that regenerate_cookie now invalidates old cookie, so if I manually set the old cookie in the cookie jar, it is no longer valid. The bad thing is that regenerate_cookie still affects all my current sessions, not only the one in which regenerate_cookie is called. I tried to log in via web ui, actually I opened two sessions in two browsers. Both of them were killed.
Created attachment 331544 [details] Test script I modified my scripts / modules to create this minimal one-file test script. Use following to reproduce: - log into BZ using your preferred browser - edit bztool and add your username / pw - ./bztool login, this should create cookies.txt in CWD - check that Bugzilla_logincookie in browser and cookies.txt file differ (hence different sessions are used by browser and script) - try ./bztool valid_cookie, ./bztool logout, ./bztool valid_cookie - check that browser session is still valid after ./bztool logout - ./bztool login again - ./bztool regenerate_cookie - see that your browser session cookie is not valid any more
(In reply to comment #7) > - log into BZ using your preferred browser > - edit bztool and add your username / pw > - ./bztool login, this should create cookies.txt in CWD > - check that Bugzilla_logincookie in browser and cookies.txt file differ (hence > different sessions are used by browser and script) > - try ./bztool valid_cookie, ./bztool logout, ./bztool valid_cookie > - check that browser session is still valid after ./bztool logout > - ./bztool login again > - ./bztool regenerate_cookie > - see that your browser session cookie is not valid any more I am able to re-create the issue from your test case. Interesting that the cookies.txt file created by the script is not in the normal Firefox profile path. For example, I have it in ~/Perl/bugzilla. How is Firefox affected by the cookies.txt file in that location? Does Firefox search everywhere in your home directory for cookies.txt file(s) and use that before it uses the standard cookies.sqlite in the profile directory? Dave
(In reply to comment #8) > I am able to re-create the issue from your test case. > Interesting that the > cookies.txt file created by the script is not in the normal Firefox profile > path. For example, I have it in ~/Perl/bugzilla. How is Firefox affected by the > cookies.txt file in that location? Does Firefox search everywhere in your home > directory for cookies.txt file(s) and use that before it uses the standard > cookies.sqlite in the profile directory? Duh, disregard this part. I was missing what was really happening. Dave
Ok, I have made a tweak on https://bz-web2-test.devel.redhat.com which seems to have helped this. I changed the bztool to point to that system and now the test case seems to work fine and does not logout my browser which is accessing the same system. Please give it a try and let me know if it works better. Dave
(In reply to comment #9) > Duh, disregard this part. I was missing what was really happening. Yeah, I was not trying to steal the cookie from firefox. I know python-bugzilla tried to do that, but I gave up trying to use it once firefox 3 switched to using sqlite cookie store. (In reply to comment #10) > Ok, I have made a tweak on https://bz-web2-test.devel.redhat.com which seems to > have helped this. I changed the bztool to point to that system and now the test > case seems to work fine and does not logout my browser which is accessing the > same system. Tried against bz-web2-test with 3 sessions (firefox, konqueror, scipts). Calling regenerate_cookie in script does not kill other two sessions any more. Old cookie does no longer seem to be valid after regenerate_cookie. So looks good to me, thank you!
Fix will be in the next BZ update.