Bug 506312 - Expired password causes chicken and egg login failure
Expired password causes chicken and egg login failure
Product: Bugzilla
Classification: Community
Component: Bugzilla General (Show other bugs)
All Linux
low Severity urgent (vote)
: ---
: ---
Assigned To: PnT DevOps Devs
Depends On:
  Show dependency treegraph
Reported: 2009-06-16 12:36 EDT by Tethys
Modified: 2013-06-23 22:09 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-11-20 13:09:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tethys 2009-06-16 12:36:51 EDT
Description of problem:
I tried to log a bug against F11 today. Bugzilla told me that my password
had expired, and needed to be reset. To do this required my old password,
which I'd forgotten. Bugzilla won't let me into the "I've forgotten my
password" page until I've reset my expired password. Which I can't do
because I don't know what it is.

Version-Release number of selected component (if applicable):
No idea. Whatever's live at https://bugzilla.redhat.com/

How reproducible:
Every time
Comment 1 David Lawrence 2009-06-16 13:28:56 EDT
I have updated your password to a temp value and emailed it to your address. This should get you going. We will look into the issue though of allowing a forgotten password to be mailed even if it is expired and then allow it to be changed once the person is able to login once.

Comment 2 Karsten Wade 2009-10-21 16:06:41 EDT
I just got bit by this bug (my notes are below, fwiw), and I do have a few wrinkles to add.

I opened a different browser that didn't have my same login cookie stored (Seamonkey) and ran against a problem if it instantly thinking I had made too many password reset requests.  Something in the earlier process of trying to get to a password reset page in the first browser-w/-login-cookie (Firefox) seemed to increment a counter?

Here are my notes; my password is now recovered.  I used Seamonkey and got it to issue a reset token.  Perhaps the administrative password reset unjammed the queue of reset token emails?

Password expiry feedback loop.

1. Came to bz.r.c with browser that had a login cookie; receive notice
about expired password.

2. Uh, oh, the password I thought was just-expired is wrong; how do I
recover it?

3. Try to go to the password recovery page; it sends you back to the
password expiry page.  Oops.

4. Open a different browser that doesn't have a login cookie for that
user, go to password recovery page.

5. Receive error that too many password reset tokens were issued in
too short a time.

Is a step in there issuing a password reset token?  Not that I
received, but maybe something is incremented.

The password recovery page needs to be outside of the "password
expiry, reset" page.

Toshio was resetting my password for me, using an administrative
password reset.  At the same time, I was trying to document the bug
steps, and tried step 4. again, this time with success.

My inbox had 8 "Password change request canceled" notices, all issued
today or the day before (when I last worked on this.)  Odd message, too:

  A request was canceled from 1.

  If you did not request this, it could be either an honest mistake or
  someone attempting to break into your Red Hat Bugzilla +account.

  Take a look at the information below and forward this email to
  bugzilla-owner@redhat.com if you suspect foul play.

            Token: 0123456789  // Changed from actual issued token
       Token Type: password
             User: kwade@redhat.com
       Issue Date: 2009.10.21 03:23:18
       Event Data: 1
  Canceled Because: You have logged in.
Comment 3 David Lawrence 2009-11-20 13:09:17 EST
We are removing the password expiration functionality from Bugzilla for the next release which should be due in the beginning of January. The release of Bugzilla 3.6 shortly after will us to develop this feature as a plugin so that we can reimplement it in a more sane fashion. I am closing this as this should happen before the next expiration happens.


Note You need to log in before you can comment on or make changes to this bug.