Re: [opensuse-web] https://bugzilla.novell.com/
I apologize if this is not the correct way to respond to this thread. I'm the Bugzilla developer for http://bugzilla.novell.com and I'd like to apologize for the lack of communication regarding this issue. Bugzilla does in fact use the Access Manager authentication system, meaning the same login through Bugzilla will get you into a number of services, such as the OpenSUSE forum. There is no persistence with the login for security reasons, though there has been discussions about increasing the length before a session timeout.
From what I can tell, bugzilla.redhat.com uses one of the built in authentication methods for Bugzilla, meaning all sessions are handled by Bugzilla itself. Bugzilla has, as this time, only two available session lengths: indefinite and browser session. Our Bugzilla configuration is currently set at browser session, but since Access Manager handles its own sessions, the actual login session length is under its control, so the browser session will lose its "logged in" status if the browser is on longer than that. Switching Bugzilla to indefinite session length would not fix this issue, as Access Manager's session length will still take precedence, resulting in an even more annoying situation for anyone using Bugzilla.
I have been in talks with the Access Manager team to find solutions to these session timeouts, including decoupling the two timeouts, and we will be exploring these options shortly after we have completed upgrading the Bugzilla systems, which includes improvements to the Access Manager experience. I hope this information proves useful. Ryan Wilson Application Engineer II RyWilson@novell.com Attachmate | NetIQ | Novell | SUSE
Ryan Wilson (RyWilson@novell.com) wrote:
I apologize if this is not the correct way to respond to this thread.
It is the correct way - no apology necessary in this case ;-)
I'm the Bugzilla developer for http://bugzilla.novell.com and I'd like to apologize for the lack of communication regarding this issue.
Bugzilla does in fact use the Access Manager authentication system, meaning the same login through Bugzilla will get you into a number of services, such as the OpenSUSE forum. There is no persistence with the login for security reasons,
As I mentioned in https://bugzilla.novell.com/show_bug.cgi?id=753203#c3 "persistence" seems a somewhat ambiguous term in this context. What exactly do you mean by that in this context?
though there has been discussions about increasing the length before a session timeout.
Yes. That seems to me the only reasonable thing to offer (but only for secure computers), as reiterated here: https://bugzilla.novell.com/show_bug.cgi?id=753203#c12
From what I can tell, bugzilla.redhat.com uses one of the built in authentication methods for Bugzilla, meaning all sessions are handled by Bugzilla itself. Bugzilla has, as this time, only two available session lengths: indefinite and browser session. Our Bugzilla configuration is currently set at browser session, but since Access Manager handles its own sessions, the actual login session length is under its control, so the browser session will lose its "logged in" status if the browser is on longer than that. Switching Bugzilla to indefinite session length would not fix this issue, as Access Manager's session length will still take precedence, resulting in an even more annoying situation for anyone using Bugzilla.
Understood.
I have been in talks with the Access Manager team to find solutions to these session timeouts, including decoupling the two timeouts, and we will be exploring these options shortly after we have completed upgrading the Bugzilla systems, which includes improvements to the Access Manager experience.
Sounds great. Please bear in mind my comments in the bug about the need for at least two different security models (secure computers vs. insecure), to be determined at the browser client-side level.
I hope this information proves useful.
It certainly does. Thanks a lot! -- To unsubscribe, e-mail: opensuse-web+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-web+owner@opensuse.org
participants (2)
-
Adam Spiers -
Ryan Wilson