Red Hat Bugzilla – Bug 506312
Expired password causes chicken and egg login failure
Last modified: 2013-06-23 22:09:04 EDT
Description of problem:
I tried to log a bug against F11 today. Bugzilla told me that my password
had expired, and needed to be reset. To do this required my old password,
which I'd forgotten. Bugzilla won't let me into the "I've forgotten my
password" page until I've reset my expired password. Which I can't do
because I don't know what it is.
Version-Release number of selected component (if applicable):
No idea. Whatever's live at https://bugzilla.redhat.com/
I have updated your password to a temp value and emailed it to your address. This should get you going. We will look into the issue though of allowing a forgotten password to be mailed even if it is expired and then allow it to be changed once the person is able to login once.
I just got bit by this bug (my notes are below, fwiw), and I do have a few wrinkles to add.
I opened a different browser that didn't have my same login cookie stored (Seamonkey) and ran against a problem if it instantly thinking I had made too many password reset requests. Something in the earlier process of trying to get to a password reset page in the first browser-w/-login-cookie (Firefox) seemed to increment a counter?
Here are my notes; my password is now recovered. I used Seamonkey and got it to issue a reset token. Perhaps the administrative password reset unjammed the queue of reset token emails?
Password expiry feedback loop.
1. Came to bz.r.c with browser that had a login cookie; receive notice
about expired password.
2. Uh, oh, the password I thought was just-expired is wrong; how do I
3. Try to go to the password recovery page; it sends you back to the
password expiry page. Oops.
4. Open a different browser that doesn't have a login cookie for that
user, go to password recovery page.
5. Receive error that too many password reset tokens were issued in
too short a time.
Is a step in there issuing a password reset token? Not that I
received, but maybe something is incremented.
The password recovery page needs to be outside of the "password
expiry, reset" page.
Toshio was resetting my password for me, using an administrative
password reset. At the same time, I was trying to document the bug
steps, and tried step 4. again, this time with success.
My inbox had 8 "Password change request canceled" notices, all issued
today or the day before (when I last worked on this.) Odd message, too:
A request was canceled from 1.
If you did not request this, it could be either an honest mistake or
someone attempting to break into your Red Hat Bugzilla +account.
Take a look at the information below and forward this email to
email@example.com if you suspect foul play.
Token: 0123456789 // Changed from actual issued token
Token Type: password
Issue Date: 2009.10.21 03:23:18
Event Data: 1
Canceled Because: You have logged in.
We are removing the password expiration functionality from Bugzilla for the next release which should be due in the beginning of January. The release of Bugzilla 3.6 shortly after will us to develop this feature as a plugin so that we can reimplement it in a more sane fashion. I am closing this as this should happen before the next expiration happens.