From 8ecb3ad6ecc8d636fb205895d736108cbc8083a1 Mon Sep 17 00:00:00 2001 From: "mkanat%bugzilla.org" <> Date: Fri, 9 Oct 2009 04:31:08 +0000 Subject: Bug 514913: Eliminate ssl="authenticated sessions" Patch by Max Kanat-Alexander r=dkl, a=mkanat --- Bugzilla/Auth/Login/CGI.pm | 11 ----------- Bugzilla/Auth/Persist/Cookie.pm | 8 +++----- 2 files changed, 3 insertions(+), 16 deletions(-) (limited to 'Bugzilla/Auth') diff --git a/Bugzilla/Auth/Login/CGI.pm b/Bugzilla/Auth/Login/CGI.pm index 5be98aa7a..a93bc3d3a 100644 --- a/Bugzilla/Auth/Login/CGI.pm +++ b/Bugzilla/Auth/Login/CGI.pm @@ -65,17 +65,6 @@ sub fail_nodata { ->faultstring('Login Required'); } - # If system is not configured to never require SSL connections - # we want to always redirect to SSL since passing usernames and - # passwords over an unprotected connection is a bad idea. If we - # get here then a login form will be provided to the user so we - # want this to be protected if possible. - if ($cgi->protocol ne 'https' && Bugzilla->params->{'sslbase'} ne '' - && Bugzilla->params->{'ssl'} ne 'never') - { - $cgi->require_https(Bugzilla->params->{'sslbase'}); - } - print $cgi->header(); $template->process("account/auth/login.html.tmpl", { 'target' => $cgi->url(-relative=>1) }) diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm index c533252d3..60f90925e 100644 --- a/Bugzilla/Auth/Persist/Cookie.pm +++ b/Bugzilla/Auth/Persist/Cookie.pm @@ -89,11 +89,9 @@ sub persist_login { # Not a session cookie, so set an infinite expiry $cookieargs{'-expires'} = 'Fri, 01-Jan-2038 00:00:00 GMT'; } - if (Bugzilla->params->{'ssl'} ne 'never' - && Bugzilla->params->{'sslbase'} ne '') - { - # Bugzilla->login will automatically redirect to https://, - # so it's safe to turn on the 'secure' bit. + if (Bugzilla->params->{'ssl_redirect'}) { + # Make these cookies only be sent to us by the browser during + # HTTPS sessions, if we're using SSL. $cookieargs{'-secure'} = 1; } -- cgit v1.2.3-24-g4f1b