Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 209557

Summary: Site login for www.eclipse.org
Product: Community Reporter: Denis Roy <denis.roy>
Component: WebsiteAssignee: Denis Roy <denis.roy>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: P3 CC: nathan, phoenix.ui-inbox, wayne.beaton
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard:
Attachments:
Description Flags
Patch for site login
none
Revised patch for site login
none
Re-revised patch for site login denis.roy: review?

Description Denis Roy CLA 2007-11-12 16:50:10 EST 
We need a mechanism to allow users to log into our website using their Bugzilla credentials.
Comment 1 Denis Roy CLA 2007-11-20 16:59:12 EST 
Created attachment 83366 [details]
Patch for site login

Here is a patch for a site login.  The authentication process is handled via a page that only I have commit access to, but I'm providing API so that anyone can consume the logged in user's information.

For instance, from a typical Phoenix page:


# This will identify a Bugzilla user, registered or not.
$Session = $App->useSession();

# This will get Friend information from the logged in user.
$Friend = $Session->getFriend();
	
echo "Logged in Bugzilla ID" . $Session->getBugzillaID() . " First Name: " . $Friend->getFirstName();
Comment 2 Denis Roy CLA 2007-11-21 09:04:01 EST 
Created attachment 83428 [details]
Revised patch for site login

I've revised the patch to add session destruction and event logging.

We should note that, although the transmission of the user's Bugzilla credentials to our servers will be protected with https during the authentication phase, this type of session persistence simply relies on a combination of a 256-bit hash and the user's IP subnet over plain http, so security will be fairly low.  

Anyone on the same subnet as the user could potentially intercept and impersonate the user's session.

However, for now the risks are low as there won't be much one can do on www.eclipse.org as an authenticated user. The www.eclipse.org session is not tied to the actual Bugzilla application in any way.  We should keep this in mind, in case we ever *do* decide to do stuff on our website that would require better security.
Comment 3 Denis Roy CLA 2007-11-21 15:17:05 EST 
Created attachment 83469 [details]
Re-revised patch for site login

OK, this is my final patch.  Please review it.  I'm quite happy with it.

I added a sqlSanitize($value, $dbh) function in App to prevent SQL injection attacks. This should be used to sanitize anything coming from the browser, before being sent to the DB.
Comment 4 Nathan Gervais CLA 2007-11-22 12:02:56 EST 
+1 to the code patch, looks good.
Comment 5 Wayne Beaton CLA 2007-11-22 14:43:24 EST 
Nothing big jumps out at me...

+1
Comment 6 Denis Roy CLA 2007-12-04 16:31:59 EST 
The site login has been implemented, and the login page is here:

    http://dev.eclipse.org/site_login

I updated the Phoenix docs to explain how to use the login information:

    http://wiki.eclipse.org/Using_Phoenix