Bugzilla session cookies

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Bugzilla session cookies

Abdul Jaleel
Hi All,
We want all our users to logout and log back in to sync up some of the LDAP
changes recently happened. currently their session cookies directly takes
them to Bugzilla without ask them to login.

1. Now, can the rememberlogin parameter help here if keep the "off" option?
The existing session cookies have a long expiration date ie 2038

2.Where can i find/set Bugzilla session timeout ? is that Apache Timeout
setting ?

I set the rememberlogin "off" on our test env , but still it doesn't ask me
to login even after the httpd.conf Timeout period.

Any thoughts will be appreciated.

Thanks,
Jaleel.




========================================
rememberloginControls management of session cookies

   - on - Session cookies never expire (the user has to login only once per
   browser).
   - off - Session cookies last until the users session ends (the user will
   have to login in each new browser session).
   - defaulton/defaultoff - Default behavior as described above, but user
   can choose whether TiVo Bugbase will remember his login or not.
_______________________________________________
support-bugzilla mailing list
[hidden email]
https://lists.mozilla.org/listinfo/support-bugzilla
PLEASE put [hidden email] in the To: field when you reply.
Reply | Threaded
Open this post in threaded view
|

Re: Bugzilla session cookies

antovinraj
Hi Abdul,

We have an option in the Bugzilla called "shutdown" parameter which can be
used to clear all the cookies in the easier way.

Thanks,
Antoine.

On Thu, Sep 21, 2017 at 1:58 PM, Abdul Jaleel <[hidden email]> wrote:

> Hi All,
> We want all our users to logout and log back in to sync up some of the LDAP
> changes recently happened. currently their session cookies directly takes
> them to Bugzilla without ask them to login.
>
> 1. Now, can the rememberlogin parameter help here if keep the "off" option?
> The existing session cookies have a long expiration date ie 2038
>
> 2.Where can i find/set Bugzilla session timeout ? is that Apache Timeout
> setting ?
>
> I set the rememberlogin "off" on our test env , but still it doesn't ask me
> to login even after the httpd.conf Timeout period.
>
> Any thoughts will be appreciated.
>
> Thanks,
> Jaleel.
>
>
>
>
> ========================================
> rememberloginControls management of session cookies
>
>    - on - Session cookies never expire (the user has to login only once per
>    browser).
>    - off - Session cookies last until the users session ends (the user will
>    have to login in each new browser session).
>    - defaulton/defaultoff - Default behavior as described above, but user
>    can choose whether TiVo Bugbase will remember his login or not.
> _______________________________________________
> support-bugzilla mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/support-bugzilla
> PLEASE put [hidden email] in the To: field when you
> reply.
>
_______________________________________________
support-bugzilla mailing list
[hidden email]
https://lists.mozilla.org/listinfo/support-bugzilla
PLEASE put [hidden email] in the To: field when you reply.
Reply | Threaded
Open this post in threaded view
|

Re: Bugzilla session cookies

Abdul Jaleel
In reply to this post by Abdul Jaleel
Thanks you Thorsten. Your response gave me a very good insight to the
process.
Thanks,
Jaleel.

On Thu, Sep 21, 2017 at 3:19 PM, Thorsten Schöning <[hidden email]>
wrote:

> Guten Tag Abdul Jaleel,
> am Donnerstag, 21. September 2017 um 10:28 schrieben Sie:
>
> > 1. Now, can the rememberlogin parameter help here if keep the "off"
> option?
> > The existing session cookies have a long expiration date ie 2038
>
> From my understanding, changing to "off" for already authorized users
> only changes things if those users actually use Bugzilla one more time
> afterwards to recognize the changed setting. Look at the following:
>
> Bugzilla::Auth::Login::Cookie::get_login_info
>
> It seems(!) save to additionally clear the table "logincookies", which
> forces people with existing cookies to login, because verification of
> the cookies fails. Afterwards they would get browser session cookies
> only.
>
> You should test "shutdownhtml" as suggested first, sounds much easier
> if it influences cookies.
>
> > 2.Where can i find/set Bugzilla session timeout ?
>
> You can't, it is hard coded, look at the following function:
>
> >     # Remember cookie only if admin has told so
> >     # or admin didn't forbid it and user told to remember.
> >     if ( Bugzilla->params->{'rememberlogin'} eq 'on' ||
> >          (Bugzilla->params->{'rememberlogin'} ne 'off' &&
> >           $input_params->{'Bugzilla_remember'} &&
> >           $input_params->{'Bugzilla_remember'} eq 'on') )
> >     {
> >         # Not a session cookie, so set an infinite expiry
> >         $cookieargs{'-expires'} = 'Fri, 01-Jan-2038 00:00:00 GMT';
> >     }
>
> Bugzilla::Auth::Persist::Cookie::persist_login
>
> > is that Apache Timeout setting ?
>
> No, those are completely different things. Apaches timeout directive
> is for low level communication only:
>
> https://httpd.apache.org/docs/2.4/mod/core.html#timeout
>
> Mit freundlichen Grüßen,
>
> Thorsten Schöning
>
> --
> Thorsten Schöning       E-Mail: [hidden email]
> AM-SoFT IT-Systeme      http://www.AM-SoFT.de/
>
> Telefon...........05151-  9468- 55
> Fax...............05151-  9468- 88
> Mobil..............0178-8 9468- 04
>
> AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
> AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow
>
> _______________________________________________
> support-bugzilla mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/support-bugzilla
> PLEASE put [hidden email] in the To: field when you
> reply.
>
_______________________________________________
support-bugzilla mailing list
[hidden email]
https://lists.mozilla.org/listinfo/support-bugzilla
PLEASE put [hidden email] in the To: field when you reply.