www.digitalmars.com         C & C++   DMDScript  

digitalmars.D.bugs - [Issue 12459] New: Bugzilla logs users in only on https site, and does not redirect from http to https

reply d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459

           Summary: Bugzilla logs users in only on https site, and does
                    not redirect from http to https
           Product: D
           Version: D2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: websites
        AssignedTo: braddr puremagic.com
        ReportedBy: thecybershadow gmail.com


--- Comment #0 from Vladimir Panteleev <thecybershadow gmail.com> 2014-03-25
11:29:00 EET ---
Logging in currently only saves the session cookie on the https:// protocol,
because it is sent with the "secure" flag enabled.

Bugzilla seems to be configured to redirect logged-in users from http:// to
https://, but since the cookie is never visible when accessing the site via
http://, the only way that redirect can happen is if someone still had a login
cookie from before HTTPS was added.

In effect, this means that any user who logged in since the addition of HTTPS
will not be logged in when clicking on a http:// Bugzilla link. They need to
either log in again, or edit the URL in their browser to point to HTTPS.

A fix would be to set some cookie WITHOUT the secure flag, which would indicate
the requirement to redirect to https://.

I discovered this accidentally after logging out to test something.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Mar 25 2014
next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459



--- Comment #1 from Brad Roberts <braddr puremagic.com> 2014-03-25 02:44:34 PDT
---
I can't reproduce the problem.  Please give a detailed set of steps.

What I tried:

logged out
delete all cookies for puremagic.com/issues urls
hit http://d.puremagic.com/issues/
  was redirected to https://...
was able to login just fine

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Mar 25 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459



--- Comment #2 from Vladimir Panteleev <thecybershadow gmail.com> 2014-03-25
11:52:59 EET ---
Hmm, the front page seems to be redirecting just fine, but links to individual
issues don't... Example:

http://d.puremagic.com/issues/show_bug.cgi?id=12459

This doesn't redirect me.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Mar 25 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459



--- Comment #3 from Brad Roberts <braddr puremagic.com> 2014-03-25 03:02:24 PDT
---
It didn't redirect me either, but gave no issues when logging in from that page
either.  So, other than being able to view a bug via http, what's the issue
here?  No passwords are sent in the clear (the form submit url is https).  No
problems logging in.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Mar 25 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459



--- Comment #4 from Vladimir Panteleev <thecybershadow gmail.com> 2014-03-25
12:04:21 EET ---
The problem is that if you log in, then open that page again, you are not
logged in. You have to log in again.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Mar 25 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459



--- Comment #5 from Brad Roberts <braddr puremagic.com> 2014-03-25 03:09:56 PDT
---
Ok.. I see what you're saying.  It's a difference of expectations.  You're
never logged in on a plain http page.  That's purposeful to avoid having any
security credentials, including the cookie, passed in the clear.. ever.

It doesn't prevent login, just never shows you as logged in on an https page. 
Not a bug.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Mar 25 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459



--- Comment #6 from Vladimir Panteleev <thecybershadow gmail.com> 2014-03-25
12:12:00 EET ---
I would consider this a problem because websites generally just don't behave
this way.

I don't know what's causing this behavior but I proposed a possible solution in
the issue description.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Mar 25 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459


Brad Roberts <braddr puremagic.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX


--- Comment #7 from Brad Roberts <braddr puremagic.com> 2014-03-25 03:17:24 PDT
---
Well, we'll see what the 4.x version has after the upgrade, but if you want
this behavior changed, the issue tracker for bugzilla itself is the right place
to lobby for this change.  Personally, I believe it's correct.  I'm going to
close this either way since it's not an issue with this particular installation
of bugzilla.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Mar 25 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459


Vladimir Panteleev <thecybershadow gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WONTFIX                     |


--- Comment #8 from Vladimir Panteleev <thecybershadow gmail.com> 2014-03-25
12:20:24 EET ---
I think it's better to keep this open for as long as the issue persists, and
close it when it's fixed. Even if it's not a bug, it's an annoyance that can be
resolved without sacrificing security.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Mar 25 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459


Brad Roberts <braddr puremagic.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |WONTFIX


--- Comment #9 from Brad Roberts <braddr puremagic.com> 2014-03-25 03:27:32 PDT
---
Reopen if and only if you can convince the bugzilla developers that the change
is worth making.  I believe it _is_ a security risk for the logged in cookie
and it's token to be passed in the clear.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Mar 25 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459


Vladimir Panteleev <thecybershadow gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WONTFIX                     |


--- Comment #10 from Vladimir Panteleev <thecybershadow gmail.com> 2014-03-25
12:35:50 EET ---
That was not what I suggested.

This conversation is not headed into a constructive direction. Can we please
reach a consensus before WONTFIX-ing the issue? Closed issues do not appear in
most search results and get lost. Nothing is solved by closing it.

If you don't want to spend time on this issue, you can unassign and unsubscribe
yourself from this issue. Someone else (e.g. I) can instead look into whether
the problem is reproducible on a clean Bugzilla install, whether an upgrade
will fix it (or if it's fixed when this instance is upgraded), follow up to the
Bugzilla developers, etc. This bug can serve to track progress towards fixing
the problem.

Please do not close issues unless they are fixed or can't be fixed. I don't see
how doing so is useful.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Mar 25 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459


Andrej Mitrovic <andrej.mitrovich gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |andrej.mitrovich gmail.com


--- Comment #11 from Andrej Mitrovic <andrej.mitrovich gmail.com> 2014-03-25
13:33:22 CET ---
It's really a pain in the ass that every time I click on a bugzilla issue and
try to comment, bugzilla tells me I'm not logged in even though I am.

The autotester seems to have the same issue, I have to click "Log in" multiple
times per day for some reason, even though I never clear my cache or cookies.

It's just one of those little things that are a consistent annoyance to a fast
workflow.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Mar 25 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459


yebblies <yebblies gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |yebblies gmail.com


--- Comment #12 from yebblies <yebblies gmail.com> 2014-04-02 15:44:28 EST ---
This affects me too, and is quite annoying.  Is it possible to just redirect
all http bugzilla urls to https?

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Apr 01 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459


Infiltrator <lt.infiltrator gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |lt.infiltrator gmail.com


--- Comment #13 from Infiltrator <lt.infiltrator gmail.com> 2014-04-01 21:52:01
PDT ---
I got here by following the #d dbot link and had to prefix the URL with
'https://' in order to be able to post this comment.  I think that that sums up
my position on this issue.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Apr 01 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459



--- Comment #14 from Vladimir Panteleev <thecybershadow gmail.com> 2014-04-02
08:08:25 EEST ---
I posted a client-side workaround here:

http://wiki.dlang.org/Bugzilla#Redirect_to_HTTPS

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Apr 01 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459



--- Comment #15 from Brad Roberts <braddr puremagic.com> 2014-04-01 22:12:08
PDT ---
This would be fixed by switching the require ssl setting from 'authenticated'
to 'ssl'.  However, doing this breaks dlang.org/bugstats.html (well, really,
fetch-issue-cnt.php which that page uses) since the php install on dlang.org
doesn't support https urls.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Apr 01 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459



--- Comment #16 from Vladimir Panteleev <thecybershadow gmail.com> 2014-04-02
08:16:19 EEST ---
(In reply to comment #15)
 This would be fixed by switching the require ssl setting from 'authenticated'
 to 'ssl'.  However, doing this breaks dlang.org/bugstats.html (well, really,
 fetch-issue-cnt.php which that page uses) since the php install on dlang.org
 doesn't support https urls.

Hmm, does the puremagic server support it? I've encountered a similar problem when trying to access HTTPS resources from D code. Ultimately I wrote a small HTTP-to-HTTPS "proxy" page in PHP: <?php $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://d.puremagic.com/issues/...whatever..."); curl_exec($ch); curl_close($ch); -- Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------
Apr 01 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459



--- Comment #17 from Brad Roberts <braddr puremagic.com> 2014-04-01 22:19:48
PDT ---
It's a dlang.org php configuration issue, that the site admin is aware of,
rather than a d.puremagic.com issue.  I don't know when it'll be fixed.  I
pinged the email thread with him (and a couple others) just a moment ago.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Apr 01 2014
prev sibling next sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459



--- Comment #18 from Vladimir Panteleev <thecybershadow gmail.com> 2014-04-02
08:22:32 EEST ---
Yes, understood. My suggestion was to work around the dlang.org configuration
issue by not having it access Bugzilla HTTPS resources directly, but through a
HTTP proxy, so that both dlang.org wouldn't need to be able to access HTTPS,
and Bugzilla can be HTTPS-only.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Apr 01 2014
prev sibling parent d-bugmail puremagic.com writes:
https://d.puremagic.com/issues/show_bug.cgi?id=12459



--- Comment #19 from Brad Roberts <braddr puremagic.com> 2014-04-01 22:28:31
PDT ---
certainly possible, but a pretty ugly hack to a fixable situation.

-- 
Configure issuemail: https://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Apr 01 2014