[Issue 12459] New: Bugzilla logs users in only on https site, and does not redirect from http to https

https://d.puremagic.com/issues/show_bug.cgi?id=12459

           Summary: Bugzilla logs users in only on https site, and does
                    not redirect from http to https
           Product: D
           Version: D2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: websites
        AssignedTo: braddr@puremagic.com
        ReportedBy: thecybershadow@gmail.com


--- Comment #0 from Vladimir Panteleev <thecybershadow@gmail.com> 2014-03-25 11:29:00 EET ---
Logging in currently only saves the session cookie on the https:// protocol, because it is sent with the "secure" flag enabled.

Bugzilla seems to be configured to redirect logged-in users from http:// to https://, but since the cookie is never visible when accessing the site via http://, the only way that redirect can happen is if someone still had a login cookie from before HTTPS was added.

In effect, this means that any user who logged in since the addition of HTTPS will not be logged in when clicking on a http:// Bugzilla link. They need to either log in again, or edit the URL in their browser to point to HTTPS.

A fix would be to set some cookie WITHOUT the secure flag, which would indicate the requirement to redirect to https://.

I discovered this accidentally after logging out to test something.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------

https://d.puremagic.com/issues/show_bug.cgi?id=12459 --- Comment #1 from Brad Roberts <braddr@puremagic.com> 2014-03-25 02:44:34 PDT --- I can't reproduce the problem. Please give a detailed set of steps. What I tried: logged out delete all cookies for puremagic.com/issues urls hit http://d.puremagic.com/issues/ was redirected to https://... was able to login just fine -- Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

https://d.puremagic.com/issues/show_bug.cgi?id=12459 --- Comment #2 from Vladimir Panteleev <thecybershadow@gmail.com> 2014-03-25 11:52:59 EET --- Hmm, the front page seems to be redirecting just fine, but links to individual issues don't... Example: http://d.puremagic.com/issues/show_bug.cgi?id=12459 This doesn't redirect me. -- Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

https://d.puremagic.com/issues/show_bug.cgi?id=12459 --- Comment #3 from Brad Roberts <braddr@puremagic.com> 2014-03-25 03:02:24 PDT --- It didn't redirect me either, but gave no issues when logging in from that page either. So, other than being able to view a bug via http, what's the issue here? No passwords are sent in the clear (the form submit url is https). No problems logging in. -- Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

https://d.puremagic.com/issues/show_bug.cgi?id=12459 --- Comment #4 from Vladimir Panteleev <thecybershadow@gmail.com> 2014-03-25 12:04:21 EET --- The problem is that if you log in, then open that page again, you are not logged in. You have to log in again. -- Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

https://d.puremagic.com/issues/show_bug.cgi?id=12459 --- Comment #5 from Brad Roberts <braddr@puremagic.com> 2014-03-25 03:09:56 PDT --- Ok.. I see what you're saying. It's a difference of expectations. You're never logged in on a plain http page. That's purposeful to avoid having any security credentials, including the cookie, passed in the clear.. ever. It doesn't prevent login, just never shows you as logged in on an https page. Not a bug. -- Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

https://d.puremagic.com/issues/show_bug.cgi?id=12459 --- Comment #6 from Vladimir Panteleev <thecybershadow@gmail.com> 2014-03-25 12:12:00 EET --- I would consider this a problem because websites generally just don't behave this way. I don't know what's causing this behavior but I proposed a possible solution in the issue description. -- Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

https://d.puremagic.com/issues/show_bug.cgi?id=12459 Brad Roberts <braddr@puremagic.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #7 from Brad Roberts <braddr@puremagic.com> 2014-03-25 03:17:24 PDT --- Well, we'll see what the 4.x version has after the upgrade, but if you want this behavior changed, the issue tracker for bugzilla itself is the right place to lobby for this change. Personally, I believe it's correct. I'm going to close this either way since it's not an issue with this particular installation of bugzilla. -- Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

https://d.puremagic.com/issues/show_bug.cgi?id=12459 Vladimir Panteleev <thecybershadow@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | --- Comment #8 from Vladimir Panteleev <thecybershadow@gmail.com> 2014-03-25 12:20:24 EET --- I think it's better to keep this open for as long as the issue persists, and close it when it's fixed. Even if it's not a bug, it's an annoyance that can be resolved without sacrificing security. -- Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

https://d.puremagic.com/issues/show_bug.cgi?id=12459 Brad Roberts <braddr@puremagic.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |WONTFIX --- Comment #9 from Brad Roberts <braddr@puremagic.com> 2014-03-25 03:27:32 PDT --- Reopen if and only if you can convince the bugzilla developers that the change is worth making. I believe it _is_ a security risk for the logged in cookie and it's token to be passed in the clear. -- Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

Forums