What to do with ssl="authenticated sessions" + code freeze date for Bugzilla 3.6
David Lawrence
dkl at redhat.com
Wed Aug 19 18:18:24 UTC 2009
On 08/19/2009 02:02 PM, David Miller wrote:
> David Lawrence wrote on 8/19/09 10:18 AM:
>
>> On 08/18/2009 08:58 PM, Frédéric Buclin wrote:
>>
>>> At the Bugzilla meeting today, there has been some discussion about what
>>> to do with the "authenticated sessions" value of the ssl parameter now
>>> that you can log in from every page. It seems that it doesn't make sense
>>> to keep this value anymore as all pages must be protected using SSL as
>>> you can potentially use any of them to log in. Does anyone see a valid
>>> reason to not kill this value? This means the ssl parameter would become
>>> a single yes/no to use ssl or not, see bug 329638.
>>>
>> As mentioned in the meeting, we (Red Hat) do not utilize this functionality
>> since our multiple web servers sit behind a load balancing proxy which does
>> the automatic redirect to SSL for all requests. So we normally keep the
>> ssl param set to 'never' now anyway. So I vote yes for this change.
>>
> Same at Mozilla. We'd always had it set to "never" with the https: in
> the urlbase. Looking at the config now, it looks like it's set to
> "always" at the moment, but both urlbase and sslbase are the same.
>
We had it mistakenly once set to ssl == 'always' and any request to the
server got stuck in
an endless looping redirect.
Dave
--
David Lawrence, RHCE dkl at redhat.com
------------------------------------
Red Hat, Inc. Web: www.redhat.com
1801 Varsity Drive Raleigh, NC 27606
More information about the developers
mailing list