enforcing access is via urlbase
bugzilla at glob.com.au
bugzilla at glob.com.au
Thu Sep 30 02:30:43 UTC 2004
what do people think about always redirecting to urlbase (once it's been set)
if the current url doesn't match it?
right now if a machine has multiple names that point to the same httpd, you
can hit bugzilla on any of those names regardless of the configured urlbase
this has an impact on cookies and on a bug 260682 (support redirecting to
https for authenticated sessions only). this bug basically redirects from the
current url to https://current url when a login is required.
stephen lee raised a valid point on that bug.. what if the box has multiple
names and the certificate is attached to a name that you're not accessing?
this got me thinking..
one fix is to add another parameter to specify the sslbase but i think we have
enough parameters as it is. (need to sort out that categorise parameters bug)
another option is to ensure that when a user hits the bugzilla install, they
use the offical urlbase, and redirect if they don't.
begin-base64 644 signature.gif
R0lGODlhbQAHAIAAAABPo////ywAAAAAbQAHAAACfAxuGAnch+Bibkn7FL1p
XgVl4Ig1jjlZRoqybgun2Cur5uOunq7u/Ipq7WIyIc7XG9JquEgumPzdlhTf
h0O83kDJaXEm8mRHwXKJy5sac7qYOpT+gtv0n+0ujQOfdqh16caWt0foBViH
N1PRMXimiLUGt3ElVimlgbllWAAAOw==
====
More information about the developers
mailing list