Closed
Bug 95732
Opened 23 years ago
Closed 23 years ago
remove logincookies.cryptpassword
Categories
(Bugzilla :: Bugzilla-General, defect, P1)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.16
People
(Reporter: myk, Assigned: bbaetz)
References
Details
(Whiteboard: [schema])
Attachments
(1 file, 1 obsolete file)
(deleted),
patch
|
myk
:
review+
bbaetz
:
review+
|
Details | Diff | Splinter Review |
profiles.cryptpassword has changed to 34 characters. logincookies.cryptpassword
should do the same since they both store the same kinds of values.
Updated•23 years ago
|
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16
Comment 1•23 years ago
|
||
This should take 5 minutes, I'll see what I can do.
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: Bugzilla 2.13 → 2.10
Assignee | ||
Comment 3•23 years ago
|
||
After speaking to justdave on IRC, lets just remove this field, and clear out
logincookies whenever the password changes, for any reason (token, editusers, etc)
checksetup will have to remove these invalid cookies when updating, of course
Assignee: justdave → bbaetz
Summary: logincookies.cryptpassword is 64 characters long → remove logincookies.cryptpassword
Assignee | ||
Comment 4•23 years ago
|
||
It turns out that both values are the same, from at least the crypt password
checkin, according to bonsai. I only noticed this after changing everything
else, though, so here you go. Theres nothing too complicated - someone testing
the conversion code on more than my one installation would be helpful; I can't
seem to get to landfill now.
Assignee | ||
Comment 5•23 years ago
|
||
OK, tested on landfill:
mysql> use bugs;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select count(*) from logincookies, profiles where
logincookies.cryptpassword != profiles.cryptpassword and
logincookies.userid=profiles.userid;
+----------+
| count(*) |
+----------+
| 60 |
+----------+
1 row in set (0.01 sec)
mysql> select count(*) from logincookies;
+----------+
| count(*) |
+----------+
| 167 |
+----------+
1 row in set (0.00 sec)
mysql> use bugs_bbaetz;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select count(*) from logincookies;
+----------+
| count(*) |
+----------+
| 107 |
+----------+
1 row in set (0.00 sec)
167-60==107, so thats correct.
Status: NEW → ASSIGNED
Assignee | ||
Comment 6•23 years ago
|
||
Oh, and this is on http://landfill.tequilarista.org/bbaetz/
ITs a schema change to, so if you test this on your own installation remember to
use a different db.
Whiteboard: [schema[
Assignee | ||
Updated•23 years ago
|
Whiteboard: [schema[ → [schema]
Updated•23 years ago
|
Reporter | ||
Comment 7•23 years ago
|
||
Comment on attachment 65406 [details] [diff] [review]
patch
>Index: globals.pl
...
>+sub invalidateLogins {
Nit: These kinds of functions in globals.pl tend to have a capitalized
first character.
>Index: relogin.cgi
...
>+if ($::userid) {
>+ SendSQL("DELETE FROM logincookies WHERE cookie = " .
>+ SqlQuote($::COOKIE{"Bugzilla_logincookie"}) .
>+ "AND userid = $::userid");
Isn't "AND userid = $::userid" unnecessary here since the
login cookie is guaranteed to belong to the current user?
Haven't tested it yet. Still getting TT 2.06 set up on my b.m.o.
test installation.
Reporter | ||
Comment 8•23 years ago
|
||
Tested it, and it works. Waiting for response from bbaetz regarding potentially
unnecessary code in relogin.cgi before granting review.
Assignee | ||
Comment 9•23 years ago
|
||
Call it a sanity check. Its certainly correct, and since we don't lock tables
arround this its technically possible for two of these to run in parallel, with
the login cookie being reused for someone else after the first delete. (OK,
getting that to actually happen in real life is probably impossible, and I'd
have a beter chance of winning the lottery 100 times in a row. Still, it doesn't
hurt)
Do you want me to change the sub's name?
Reporter | ||
Comment 10•23 years ago
|
||
>Call it a sanity check. Its certainly correct, and since we don't lock tables
>arround this its technically possible for two of these to run in parallel, with
>the login cookie being reused for someone else after the first delete. (OK,
>getting that to actually happen in real life is probably impossible, and I'd
>have a beter chance of winning the lottery 100 times in a row. Still, it
>doesn't hurt)
Ok, I'll buy it, but add a comment with this explanation so future generations
can buy it too.
>Do you want me to change the sub's name?
Yes.
Assignee | ||
Comment 11•23 years ago
|
||
OK, this takes myk's changes into account
Attachment #65406 -
Attachment is obsolete: true
Reporter | ||
Comment 12•23 years ago
|
||
Comment on attachment 67570 [details] [diff] [review]
v2
looks good, works. r=myk
Attachment #67570 -
Flags: review+
Comment 13•23 years ago
|
||
Comment on attachment 67570 [details] [diff] [review]
v2
>+sub InvalidateLogins {
>+ my ($userid, $keep) = @_;
>+
>+ my $remove = "DELETE FROM logincookies WHERE userid = $userid";
>+ if (defined $keep) {
>+ $remove .= " AND cookie != " . SqlQuote($keep);
>+ }
>+ SendSQL($remove);
>+}
>+
[...]
>+if ($::userid) {
>+ # Even though we know the userid must match, we still check it in the
>+ # SQL as a sanity check, since there is no locking here, and if
>+ # the user logged out from two machines simulataniously, while someone
>+ # else logged in and got the same cookie, we could be logging the
>+ # other user out here. Yes, this is very very very unlikely, but why
>+ # take chances? - bbaetz
>+ SendSQL("DELETE FROM logincookies WHERE cookie = " .
>+ SqlQuote($::COOKIE{"Bugzilla_logincookie"}) .
>+ "AND userid = $::userid");
>+}
Just one question: why not wrap this up into InvalidateLogins as well? It would
be
the opposite of keep, and would make the code more SQL-free.
If you feel I'm polluting the API, ignore this, and r=kiko.
Assignee | ||
Comment 14•23 years ago
|
||
Because I just want to remove one cookie here, and its the only place which
requires this.
Assignee | ||
Comment 15•23 years ago
|
||
Comment on attachment 67570 [details] [diff] [review]
v2
makring r=kiko - see previous comment
Attachment #67570 -
Flags: review+
Assignee | ||
Comment 16•23 years ago
|
||
Comment on attachment 67570 [details] [diff] [review]
v2
makring r=kiko - see previous comment
Assignee | ||
Comment 17•23 years ago
|
||
...and checked in (sorry for the double post before)
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•