Dr Konqi still misbehaving - advice needed
Thomas Lübking
thomas.luebking at gmail.com
Sat Nov 29 23:19:04 GMT 2014
On Samstag, 29. November 2014 22:13:30 CEST, Ian Wadham wrote:
> IOW, can I offer that as a workaround until we can release your
> fix? Or does BKO leave stale cookies in the jar?
Had a stale cookie there, might have been added by rekonq or konqueror (i usually used qupzilla lately)
After kicking that (kcmshell4 cookies) the token login worked as well.
DrKonqi added another cookie ("Bugzilla_login_request_cookie"), but that is no harm (did a third invalid bug report)
Logging in with konqueror adds a second cookie ("Bugzilla_login") which expires 2038 and is among the ones I deleted before. I strongly believe that this will break it again, but won't risk to spam another bug for that purpose.
Sum up:
-------
a) Password login works with 4.4.6 (at least bugs.kde.org version) and is robust against stale cookies in kcookiejar
b) getting rid of bugs.kde.org cookies fixes token security, but
c) web login via kio_http (or anything making use of kcookiejar) will (most likely) re-add a bad cookie
=> Since telling users to delete bugs.kde.org cookies on bugreporting is no viable solution, I'd propose to either go for passwod logins or unleash the cookie monster on all cookied from the bugzilla domain. (KCookieJar has a promising "eatCookie*" function set, but I'd have to look up how to access the global cookie jar.
> You mean you added a spurious report to the live BKO DB? Tsk, tsk… :-)
One? Three! - By now ;-)
But I promised to do no more, so please don't make me a liar =)
Cheers,
Thomas
More information about the kde-core-devel
mailing list