Closed Bug 95732 Opened 23 years ago Closed 23 years ago

remove logincookies.cryptpassword

Categories

(Bugzilla :: Bugzilla-General, defect, P1)

2.13
x86
All
defect

Tracking

()

RESOLVED FIXED
Bugzilla 2.16

People

(Reporter: myk, Assigned: bbaetz)

References

Details

(Whiteboard: [schema])

Attachments

(1 file, 1 obsolete file)

profiles.cryptpassword has changed to 34 characters. logincookies.cryptpassword should do the same since they both store the same kinds of values.
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16
This should take 5 minutes, I'll see what I can do.
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: Bugzilla 2.13 → 2.10
correcting version field lost in product move
Version: 2.10 → 2.13
After speaking to justdave on IRC, lets just remove this field, and clear out logincookies whenever the password changes, for any reason (token, editusers, etc) checksetup will have to remove these invalid cookies when updating, of course
Assignee: justdave → bbaetz
Summary: logincookies.cryptpassword is 64 characters long → remove logincookies.cryptpassword
Attached patch patch (obsolete) (deleted) — Splinter Review
It turns out that both values are the same, from at least the crypt password checkin, according to bonsai. I only noticed this after changing everything else, though, so here you go. Theres nothing too complicated - someone testing the conversion code on more than my one installation would be helpful; I can't seem to get to landfill now.
OK, tested on landfill: mysql> use bugs; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select count(*) from logincookies, profiles where logincookies.cryptpassword != profiles.cryptpassword and logincookies.userid=profiles.userid; +----------+ | count(*) | +----------+ | 60 | +----------+ 1 row in set (0.01 sec) mysql> select count(*) from logincookies; +----------+ | count(*) | +----------+ | 167 | +----------+ 1 row in set (0.00 sec) mysql> use bugs_bbaetz; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select count(*) from logincookies; +----------+ | count(*) | +----------+ | 107 | +----------+ 1 row in set (0.00 sec) 167-60==107, so thats correct.
Status: NEW → ASSIGNED
Oh, and this is on http://landfill.tequilarista.org/bbaetz/ ITs a schema change to, so if you test this on your own installation remember to use a different db.
Whiteboard: [schema[
Whiteboard: [schema[ → [schema]
Keywords: patch, review
Comment on attachment 65406 [details] [diff] [review] patch >Index: globals.pl ... >+sub invalidateLogins { Nit: These kinds of functions in globals.pl tend to have a capitalized first character. >Index: relogin.cgi ... >+if ($::userid) { >+ SendSQL("DELETE FROM logincookies WHERE cookie = " . >+ SqlQuote($::COOKIE{"Bugzilla_logincookie"}) . >+ "AND userid = $::userid"); Isn't "AND userid = $::userid" unnecessary here since the login cookie is guaranteed to belong to the current user? Haven't tested it yet. Still getting TT 2.06 set up on my b.m.o. test installation.
Tested it, and it works. Waiting for response from bbaetz regarding potentially unnecessary code in relogin.cgi before granting review.
Call it a sanity check. Its certainly correct, and since we don't lock tables arround this its technically possible for two of these to run in parallel, with the login cookie being reused for someone else after the first delete. (OK, getting that to actually happen in real life is probably impossible, and I'd have a beter chance of winning the lottery 100 times in a row. Still, it doesn't hurt) Do you want me to change the sub's name?
>Call it a sanity check. Its certainly correct, and since we don't lock tables >arround this its technically possible for two of these to run in parallel, with >the login cookie being reused for someone else after the first delete. (OK, >getting that to actually happen in real life is probably impossible, and I'd >have a beter chance of winning the lottery 100 times in a row. Still, it >doesn't hurt) Ok, I'll buy it, but add a comment with this explanation so future generations can buy it too. >Do you want me to change the sub's name? Yes.
Attached patch v2 (deleted) — Splinter Review
OK, this takes myk's changes into account
Attachment #65406 - Attachment is obsolete: true
Blocks: 58242
Comment on attachment 67570 [details] [diff] [review] v2 looks good, works. r=myk
Attachment #67570 - Flags: review+
Comment on attachment 67570 [details] [diff] [review] v2 >+sub InvalidateLogins { >+ my ($userid, $keep) = @_; >+ >+ my $remove = "DELETE FROM logincookies WHERE userid = $userid"; >+ if (defined $keep) { >+ $remove .= " AND cookie != " . SqlQuote($keep); >+ } >+ SendSQL($remove); >+} >+ [...] >+if ($::userid) { >+ # Even though we know the userid must match, we still check it in the >+ # SQL as a sanity check, since there is no locking here, and if >+ # the user logged out from two machines simulataniously, while someone >+ # else logged in and got the same cookie, we could be logging the >+ # other user out here. Yes, this is very very very unlikely, but why >+ # take chances? - bbaetz >+ SendSQL("DELETE FROM logincookies WHERE cookie = " . >+ SqlQuote($::COOKIE{"Bugzilla_logincookie"}) . >+ "AND userid = $::userid"); >+} Just one question: why not wrap this up into InvalidateLogins as well? It would be the opposite of keep, and would make the code more SQL-free. If you feel I'm polluting the API, ignore this, and r=kiko.
Because I just want to remove one cookie here, and its the only place which requires this.
Comment on attachment 67570 [details] [diff] [review] v2 makring r=kiko - see previous comment
Attachment #67570 - Flags: review+
Comment on attachment 67570 [details] [diff] [review] v2 makring r=kiko - see previous comment
...and checked in (sorry for the double post before)
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Blocks: 43900
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: