What to do with ssl="authenticated sessions" + code freeze date for Bugzilla 3.6
David Miller
justdave at bugzilla.org
Wed Aug 19 18:02:19 UTC 2009
David Lawrence wrote on 8/19/09 10:18 AM:
> On 08/18/2009 08:58 PM, Frédéric Buclin wrote:
>> At the Bugzilla meeting today, there has been some discussion about what
>> to do with the "authenticated sessions" value of the ssl parameter now
>> that you can log in from every page. It seems that it doesn't make sense
>> to keep this value anymore as all pages must be protected using SSL as
>> you can potentially use any of them to log in. Does anyone see a valid
>> reason to not kill this value? This means the ssl parameter would become
>> a single yes/no to use ssl or not, see bug 329638.
>
> As mentioned in the meeting, we (Red Hat) do not utilize this functionality
> since our multiple web servers sit behind a load balancing proxy which does
> the automatic redirect to SSL for all requests. So we normally keep the
> ssl param set to 'never' now anyway. So I vote yes for this change.
Same at Mozilla. We'd always had it set to "never" with the https: in
the urlbase. Looking at the config now, it looks like it's set to
"always" at the moment, but both urlbase and sslbase are the same.
--
Dave Miller http://www.justdave.net/
System Administrator, Mozilla Corporation http://www.mozilla.com/
Project Leader, Bugzilla Bug Tracking System http://www.bugzilla.org/
More information about the developers
mailing list