Update: On the advice of a Bugzilla developer, I've reported this as a bug ( #1005931) in the Bugzilla bug tracking system (Bugzilla). Something is making Bugzilla think the user is no longer logged in, and Bugzilla is responding by setting a new value for Bugzilla_login_request_cookie, which triggers the login process again. When one of the Bugzillas suddenly prompts for login again, although I see no change in the cookies being passed to the server in the GET header, the server returns this: Set-Cookie: Bugzilla_login_request_cookie= path=/ secure HttpOnly After login, Bugzilla_login_request_cookie is effectively cleared, and two new cookies are set: Bugzilla_login and Bugzilla_logincookie. Before login, the Bugzilla_login_request_cookie is set with a unique value. As long as the two Bugzillas are working normally (no spurious login prompts), the cookies being passed around make sense. I used LiveHTTPHeaders to watch what happens with the login-related Bugzilla cookies. I tried setting the two cookiedomain values to '/' and '/', but that just resulted in no cookies being created at all. Bugzilla2 is its cookiedomain is '' and cookiepath is '/'.Īlthough normally when making changes to a Bugzilla/mod_perl setup I restart Apache to allow changes to kick in, my understanding is that this is not necessary when only the params files are changed (including changes to cookiedomain and cookiepath) (confirmed). Otherwise, you will be required to log in frequently.) If you don't have a Bugzilla account, you can create a new account. Bugzilla1 is its cookiedomain is '' and cookiepath is '/'. Login: Password: Restrict this session to this IP address (using this option improves security) (Note: you should make sure cookies are enabled for this site.
Bugzilla login cracked#
Has anyone out there cracked this problem?Īdditional: I'm running Bugzilla 4.4.4. I believe Bugzilla defaults to sharing cookies, and that's presumably the root of the problem, and I've tried playing with both cookiepath and cookiedomain, with no success. Apparently this is fairly common with certain Bugzilla setups, but note that I do not have that problem with my original shared mod_perl Bugzilla (the one without SSL). Logins for the two Bugzillas interfere with each other, causing repeated login prompts and 'bad password' messages. That means they also have different, unique IP addresses.Īlthough this second setup basically works, I'm running into problems with login and cookies. Now I'm trying to do the same thing on a different server, with the same basic setup, except that the hosts sharing Bugzilla are running SSL as well. I've managed to set up a shared mod_perl Bugzilla environment using the PROJECT variable, and it works perfectly.
0 kommentar(er)
