[opensuse-factory] Bug-system login gone kah-foo-ii again: please allow user to 'stay logged in' for 30 days or more
W/R/T bugzilla and logging in. Would it be possible to extend the time one is logged-in to 30 days from last activity (with option to 'log off'). I know other secure(https) sites that allow one to remain logged-in, some for multiple months, some without a stated limit, etc. It's a hindrance to people using suse logins to any of the opensuse or suse sites. I wanted to check on a bug's status that I'd updated yesterday, but was already logged out. It wouldn't be so bad if my login+password could be \allowed\ to be remembered as many other secure sites allow (amazon and my HMO's website), but maintaining the "logged-in" state and for how-many days could be a part of a user's profile. But meanwhile, extending the cookie expiration to "current-date+30" every time a user visits the site would be a great help. It would at least allow me to be "logged in", which I don't seem to be able to do, right now (though I was yesterday). Instead, I get taken to "https://esp.microfocus.com/nesp/idff/metadata" where it displays an unstyled XML document beginning with: This XML file does not appear to have any style information associated with it. The document tree is shown below. <md:EntityDescriptor id="0000-11110222-3333" providerID="https://esp.microfocus.com:443/nesp/idff/metadata"> <md:SPDescriptor id="abcde-xyz" protocolSupportEnumeration="urn:liberty:iff:2003-08"> <md:KeyDescriptor use="signing"> ... ---- Perhaps needless to say, but this prevents me from logging in again and has happened more than once in the past, sometimes with it not allowing me to login for months. If bugzilla and other suse+opensuse sites would allow me to remain logged in, then it wouldn't be so much of an issue. Thanks! -linda -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
In case there was any confusion .. I was talking about the bug-system that is bugzilla... ;-) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2017-01-10 21:19, L A Walsh wrote:
W/R/T bugzilla and logging in. Would it be possible to extend the time one is logged-in to 30 days from last activity (with option to 'log off').
You are not the first one to ask. The quick answer is "no". This is not the typicall https site. It uses a special authentication backend that Novell sells (I don't remember the name), so that "bugzilla" does not have the control. It is used for all suse/novell/opensuse services, not only bugzilla. It has been proven pretty safe: the frontend has been hacked more than once, but they never got the user/pass list. The same system is also used for the business clients of all Novell web places; apparently security can not be loosened in one place alone, all would be affected. So the timeout and the rules are the same for the entire system. That's more or less what I know. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlh1fF8ACgkQja8UbcUWM1x2YgD/WonFLZY2/Eg8B90p29uMHonc 81W8yCCm+acdlhAy/wQA/37YNLSl4OdcvnUU5ncDwx2Oeu6VdBVIGOW1C7pIg8GR =xcrq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 01/11/2017 10:59 AM, Carlos E. R. wrote:
On 2017-01-10 21:19, L A Walsh wrote:
W/R/T bugzilla and logging in. Would it be possible to extend the time one is logged-in to 30 days from last activity (with option to 'log off').
You are not the first one to ask.
The quick answer is "no".
This is not the typicall https site. It uses a special authentication backend that Novell sells (I don't remember the name), so that "bugzilla" does not have the control. It is used for all suse/novell/opensuse services, not only bugzilla. It has been proven pretty safe: the frontend has been hacked more than once, but they never got the user/pass list.
The same system is also used for the business clients of all Novell web places; apparently security can not be loosened in one place alone, all would be affected. So the timeout and the rules are the same for the entire system.
That's more or less what I know.
Except these days Novell doesn't exist and its Microfocus instead, as far as i'm aware bugzilla is run by Microfocus IT now rather then SUSE and follows Microfocus's corporate security rules with respect to passwords etc. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adeliade Australia, UTC+9:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
On 10.01.17 21:19 L A Walsh wrote:
It wouldn't be so bad if my login+password could be \allowed\ to be remembered as many other secure sites allow (amazon and my HMO's website), but maintaining the "logged-in" state and for how-many days could be a part of a user's profile.
My Seamonkey has no problems remembering the password. And Firefox should not, too. Maybe it takes some kind of tweaking, but I would be surprised if saving the password fails. I have a bookmark that removes all javascript-voodoo preventing SM/FF from saving the password: javascript:(function(){var%20ca,cea,cs,df,dfe,i,j,x,y;function%20n(i,what){return%20i+%22%20%22+what+((i==1)?%22%22:%22s%22)}ca=cea=cs=0;df=document.forms;for(i=0;i<df.length;++i){x=df[i];dfe=x.elements;if(x.onsubmit){x.onsubmit=%22%22;++cs;}if(x.attributes[%22autocomplete%22]){x.attributes[%22autocomplete%22].value=%22on%22;++ca;}for(j=0;j<dfe.length;++j){y=dfe[j];if(y.attributes[%22autocomplete%22]){y.attributes[%22autocomplete%22].value=%22on%22;++cea;}}}alert(%22Removed%20autocomplete=off%20from%20%22+n(ca,%22form%22)+%22%20and%20from%20%22+n(cea,%22form%20element%22)+%22,%20and%20removed%20onsubmit%20from%20%22+n(cs,%22form%22)+%22.%20After%20you%20type%20your%20password%20and%20submit%20the%20form,%20the%20browser%20will%20offer%20to%20remember%20your%20password.%22)})(); There is also this (and a lot more). https://addons.mozilla.org/en-US/firefox/addon/rememberpass/ Johannes
On 2017-01-12 09:58, Johannes Kastl wrote:
My Seamonkey has no problems remembering the password. And Firefox should not, too. Maybe it takes some kind of tweaking, but I would be surprised if saving the password fails.
Yes, of course firefox remembers the login/pass pairs of sites. You can protect them with a master password, which would be a good idea. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/10/17 14:19, L A Walsh wrote:
It wouldn't be so bad if my login+password could be \allowed\ to be remembered as many other secure sites allow (amazon and my HMO's website), but maintaining the "logged-in" state and for how-many days could be a part of a user's profile.
I am not having a problem with my browser remembering the login credentials for the site. I think the real problem is different. You can login to bugzilla at: bugzilla.opensuse.org bugzilla.suse.com bugzilla.novel.com However, a login at one of those leaves you still logged out at the others. The last time that I tried, a login at a second one of those left me logged out at the first. This can be confusing. My current practice is to use only "bugzilla.opensuse.org" for logins. If I receive email on a bug, and the link in the email is different, then I change the link to reference b.o.o before I attempt to answer. I usually login at the forums, and that carries over to b.o.o but not to b.s.c nor to b.n.c. I'll note that I do allow third party cookies. So it is not my browser that is preventing a login from working at all site names at the same time. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJYeQrpAAoJEGSXLIzRJwiFxK0H/3bIKKHGNw97T+bhKX8vbjaM wqL+aumOP+UFu+KnTN4BsvDSC4cfJqby3kZfcadIFUQ9CM03lPL+NxBsV5wR3HLZ j3QtAtSgkmhghGl3Sv9gz/kRiUcjBlBvnmKEkSCMz8H0mvvpyuLdCQgeNcEdb3FD huCUp61vvJyq4oG225H4WpYWWjuJAGQeyicVFel+olgxXqnF79PNnA7PJQ4HUEPv zWHgF8izUPrs8BzkOlD503Zrz6jAzW0R3Qnx8sf4hx9gPPLkz8Pl/b63av2rNsw6 wOHK+k1mBAA3gEQkQhdZFhgpTowoiuHp4bYEAUJoFu7Jz/MXt50Dvl/YxJ65GY4= =Izqd -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Neil Rickert wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/10/17 14:19, L A Walsh wrote:
It wouldn't be so bad if my login+password could be \allowed\ to be remembered as many other secure sites allow (amazon and my HMO's website), but maintaining the "logged-in" state and for how-many days could be a part of a user's profile.
I am not having a problem with my browser remembering the login credentials for the site.
Ditto.
My current practice is to use only "bugzilla.opensuse.org" for logins.
I've been doing that for a while, I think I even set up our squid to redirect accesses to bugzilla.{suse,novell}.com to bugzilla.opensuse.org. -- Per Jessen, Zürich (0.4°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On vendredi, 13 janvier 2017 18.29:57 h CET Per Jessen wrote:
Neil Rickert wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/10/17 14:19, L A Walsh wrote:
It wouldn't be so bad if my login+password could be \allowed\ to be remembered as many other secure sites allow (amazon and my HMO's website), but maintaining the "logged-in" state and for how-many days could be a part of a user's profile.
I am not having a problem with my browser remembering the login credentials for the site.
Ditto.
My current practice is to use only "bugzilla.opensuse.org" for logins.
I've been doing that for a while, I think I even set up our squid to redirect accesses to bugzilla.{suse,novell}.com to bugzilla.opensuse.org.
Bug then the color are not setup correctly :-) Ok I'm out, that was the bad friday's joke -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (7)
-
Bruno Friedmann -
Carlos E. R. -
Johannes Kastl -
L A Walsh -
Neil Rickert -
Per Jessen -
Simon Lees