On Samstag, 29. November 2014 22:13:30 CEST, Ian Wadham wrote:
IOW, can I offer that as a workaround until we can release your
fix? Or does BKO leave stale cookies in the jar?
Had a stale cookie there, might have been added by rekonq or konqueror (i
usually used qupzilla lately)
After kicking that (kcmshell4 cookies) the token login worked as well.
DrKonqi added another cookie ("Bugzilla_login_request_cookie"), but that is no
harm (did a third invalid bug report)
Logging in with konqueror adds a second cookie ("Bugzilla_login") which expires
2038 and is among the ones I deleted before. I strongly believe that this will break it
again, but won't risk to spam another bug for that purpose.
Sum up:
-------
a) Password login works with 4.4.6 (at least bugs.kde.org version) and is
robust against stale cookies in kcookiejar
b) getting rid of bugs.kde.org cookies fixes token security, but
c) web login via kio_http (or anything making use of kcookiejar) will (most
likely) re-add a bad cookie
=> Since telling users to delete bugs.kde.org cookies on bugreporting is no viable
solution, I'd propose to either go for passwod logins or unleash the cookie monster on all
cookied from the bugzilla domain. (KCookieJar has a promising "eatCookie*"
function set, but I'd have to look up how to access the global cookie jar.
You mean you added a spurious report to the live BKO DB? Tsk, tsk… :-)
One? Three! - By now ;-)
But I promised to do no more, so please don't make me a liar =)
Cheers,
Thomas
