Mozilla
 » 
Bugzilla
 » 
Bugzilla - Dev

Re: What to do with ssl="authenticated sessions" + code freeze date for Bugzilla 3.6

View: New views
2 Messages — Rating Filter:   Alert me  

Parent Message unknown Re: What to do with ssl="authenticated sessions" + code freeze date for Bugzilla 3.6

by SnowyOwl :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On 19 авг, 06:58, "Frédéric Buclin" <lpso...@...> wrote:

> At the Bugzilla meeting today, there has been some discussion about what
> to do with the "authenticated sessions" value of the ssl parameter now
> that you can log in from every page. It seems that it doesn't make sense
> to keep this value anymore as all pages must be protected using SSL as
> you can potentially use any of them to log in. Does anyone see a valid
> reason to not kill this value? This means the ssl parameter would become
> a single yes/no to use ssl or not, see bug 329638.

The only scenario I could see is where some users do not have HTTPS
access at all.  For example, Bugzilla is used by staff from intranet
using HTTPS, but exposed to public internet as read-only searchable
knowledge base for users.

HTTPS may be unavailable to those users to reduce server load, as it
protects nothing in this setup.
_______________________________________________
dev-apps-bugzilla mailing list
dev-apps-bugzilla@...
https://lists.mozilla.org/listinfo/dev-apps-bugzilla
-
To view or change your list settings, click here:
<http://bugzilla.org/cgi-bin/mj_wwwusr?user=$MSGRCPT>

Re: What to do with ssl="authenticated sessions" + code freeze date for Bugzilla 3.6

by Max Kanat-Alexander :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On 08/30/2009 09:13 PM, SnowyOwl wrote:
> The only scenario I could see is where some users do not have HTTPS
> access at all.  For example, Bugzilla is used by staff from intranet
> using HTTPS, but exposed to public internet as read-only searchable
> knowledge base for users.
>
> HTTPS may be unavailable to those users to reduce server load, as it
> protects nothing in this setup.

        Well, this situation seems fairly unlikely, and also really doesn't
matter that much, because honestly Bugzilla doesn't put that much load
on a web server, and the load it *does* put on the server is already
much more significant than the load put on by SSL. So I don't think we
have to worry too much about this situation. And anybody who *really*
needed it could still accomplish it with a proxy.

        -Max
--
http://www.everythingsolved.com/
Competent, Friendly Bugzilla and Perl Services. Everything Else, too.
-
To view or change your list settings, click here:
<http://bugzilla.org/cgi-bin/mj_wwwusr?user=lists@...>
Free embeddable forum powered by Nabble Forum Help