Login error: Untrusted request

Hi

I'm getting an error message if I try to login with any account. I didn't find much information about this, so I was not able to solve the problem by myself.

The full error message:
You tried to log in using the "email" account, but Bugzilla is unable to trust your request. Make sure your web browser accepts cookies and that you haven't been redirected here from an external web site. -Click here- if you really want to log in.

When I click the link (Click here), I need to reenter the credentials and the login works.

It's running on my local server, cookies are enabled. Cookie path is set correctly and correct permissions are set. Bugzilla version is 5.0.4 stable, running in almost default configuration (only required parameters are set).

I entered the Servername in the Apache configuration file, and also followed the official installation guide for Ubuntu/debian on bugzilla.org.

I think I'm missing something...
Any suggestions?

Thanks


The Apache2 log says:

[Fri Nov 30 17:45:10.058533 2018] [cgi:error] [pid 19741] [client XXX] AH01215: [Fri Nov 30 17:45:10 2018] editcomponents.cgi: Use of uninitialized value $compiled in concatenation (.) or string at lib/arm-linux-gnueabihf$
[Fri Nov 30 17:45:10.059862 2018] [cgi:error] [pid 19741] [client XXX] AH01215: [Fri Nov 30 17:45:10 2018] editcomponents.cgi: compiled template : Insecure dependency in require while running with -T switch at lib/arm-lin$
[Fri Nov 30 17:45:10.060045 2018] [cgi:error] [pid 19741] [client XXX] AH01215: [Fri Nov 30 17:45:10 2018] editcomponents.cgi: : /webroot/html/bugzilla/editcomponents.cgi
[Fri Nov 30 17:45:18.522751 2018] [cgi:error] [pid 19741] [client XXX] AH01215: [Fri Nov 30 17:45:18 2018] index.cgi: Use of uninitialized value $compiled in concatenation (.) or string at lib/arm-linux-gnueabihf-thread-m$
[Fri Nov 30 17:45:18.523280 2018] [cgi:error] [pid 19741] [client XXX] AH01215: [Fri Nov 30 17:45:18 2018] index.cgi: compiled template : Insecure dependency in require while running with -T switch at lib/arm-linux-gnueab$
[Fri Nov 30 17:45:18.523388 2018] [cgi:error] [pid 19741] [client XXX] AH01215: [Fri Nov 30 17:45:18 2018] index.cgi: : /webroot/html/bugzilla/index.cgi


0
marc
11/30/2018 4:57:02 PM
mozilla.support.bugzilla 10018 articles. 0 followers. Post Follow

7 Replies
25 Views

Similar Articles

[PageSpeed] 9

Guten Tag marc.schoendorf@gmail.com,
am Freitag, 30. November 2018 um 17:57 schrieben Sie:

> The full error message:
> You tried to log in using the "email" account, but Bugzilla is
> unable to trust your request. Make sure your web browser accepts
> cookies and that you haven't been redirected here from an external
> web site. -Click here- if you really want to log in.

> When I click the link (Click here), I need to reenter the credentials and=
 the login works.

What exactly is the first page you are accessing in Bugzilla and where
exactly are you providing your credentials? Bugzilla is issueing
special tokens for the login form and such and your error message and
problem description reads like those tokens are missing or invalid and
the time you are posting your form.

After the login worked, can you open any page for any time until you
logout manually or are you forced to re-login at some point?

Things like cookies and tokens can be checked using your browsers'
development tools.

Mit freundlichen Gr=FC=DFen,

Thorsten Sch=F6ning

--=20
Thorsten Sch=F6ning       E-Mail: Thorsten.Schoening@AM-SoFT.de
AM-SoFT IT-Systeme      http://www.AM-SoFT.de/

Telefon...........05151-  9468- 55
Fax...............05151-  9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Gesch=E4ftsf=FChrer: Andreas Muchow

0
windows
11/30/2018 5:15:28 PM
Hi

Thanks for the fast reply.
I hope I understood your questions correctly, if not please let me know.

> What exactly is the first page you are accessing in Bugzilla and where
> exactly are you providing your credentials?
The first page is the BugZilla - Main Page, showing the icons for File a bug, Search, Log In... The corresponding server file is /bugzilla/index.cgi
I click on LogIn in the top bar, and two input field appear for email and password. For the second login attempt after the error message, an own page just with Email and Password fields appear.


>Bugzilla is issueing
> special tokens for the login form and such and your error message and
> problem description reads like those tokens are missing or invalid and
> the time you are posting your form.
> --------------------
> Things like cookies and tokens can be checked using your browsers'
> development tools.
I'm not so confident with web related stuff. Could you clarify what exactly I should check?


> After the login worked, can you open any page for any time until you
> logout manually or are you forced to re-login at some point?
After some time, I need to re-login to open a new page. But it's pretty inconsistent, so it's hard to tell at what time exactly it's happening.
0
marc
11/30/2018 5:41:00 PM
Guten Tag marc.schoendorf@gmail.com,
am Freitag, 30. November 2018 um 18:41 schrieben Sie:

> I'm not so confident with web related stuff. Could you clarify what exact=
ly I should check?

Log out manually, close the browser, open the browser, open the main
page, click "Log in" so that the form inputs are visible. Use your
browser's dev tools to show the HTML behind that form, which includes
tokens and stuff. In most browsers it's simply some option in the
context menu of one of the inputs of the form to access the dev tools,
but if you don't find anything, just google a bit, there a re a lot of
videos out there for alle browsers explaining much faster than I can.

The result would be something like the following:

> <form action=3D"index.cgi" method=3D"POST" class=3D"mini_login" id=3D"min=
i_login_top">
>     <input id=3D"Bugzilla_login_top" required=3D"" name=3D"Bugzilla_login=
" class=3D"bz_login" type=3D"email" placeholder=3D"Email Address">
>     <input class=3D"bz_password" name=3D"Bugzilla_password" type=3D"passw=
ord" id=3D"Bugzilla_password_top" required=3D"" placeholder=3D"Password">
>       <input type=3D"checkbox" id=3D"Bugzilla_remember_top" name=3D"Bugzi=
lla_remember" value=3D"on" class=3D"bz_remember" checked=3D"">
>       <label for=3D"Bugzilla_remember_top">Remember</label>
>     <input type=3D"hidden" name=3D"Bugzilla_login_token" value=3D"1543601=
064-ux2bWmAwms0jAbBFGG_aHPTopYLqlAmhSvATV7dBPgY">
>     <input type=3D"submit" name=3D"GoAheadAndLogIn" value=3D"Log in" id=
=3D"log_in_top">
>     <a href=3D"#" onclick=3D"return hide_mini_login_form('_top')">[x]</a>
>   </form>

> After some time, I need to re-login to open a new page. But it's
> pretty inconsistent, so it's hard to tell at what time exactly it's happe=
ning.

This sounds like an issue with your cookies, because I'm somewhat sure
that Bugzilla has no timeout. Check your cookiepath and rememberlogin
again, provide both here, as well as the URL you are browsing the main
page for etc. Have a look at things like automatic redirects from HTTP
to HTTPS and such during requests as well.

Mit freundlichen Gr=FC=DFen,

Thorsten Sch=F6ning

--=20
Thorsten Sch=F6ning       E-Mail: Thorsten.Schoening@AM-SoFT.de
AM-SoFT IT-Systeme      http://www.AM-SoFT.de/

Telefon...........05151-  9468- 55
Fax...............05151-  9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Gesch=E4ftsf=FChrer: Andreas Muchow

0
windows
11/30/2018 6:10:10 PM
Thank, that was the information I needed. It seems you're guess was right. My value field ist empty, so I guess the token is invalid. Here the details:

<form action="index.cgi" method="POST" class="mini_login" id="mini_login_top">
    <input id="Bugzilla_login_top" required="" name="Bugzilla_login" class="bz_login" type="email" placeholder="Email Address">
    <input class="bz_password" name="Bugzilla_password" type="password" id="Bugzilla_password_top" required="" placeholder="Password">
    <input type="hidden" name="Bugzilla_login_token" value="">
    <input type="submit" name="GoAheadAndLogIn" value="Log in" id="log_in_top">
    <a href="#" onclick="return hide_mini_login_form('_top')">[x]</a>
  </form>


> This sounds like an issue with your cookies, because I'm somewhat sure
> that Bugzilla has no timeout. Check your cookiepath and rememberlogin
> again, provide both here, as well as the URL you are browsing the main
> page for etc. Have a look at things like automatic redirects from HTTP
> to HTTPS and such during requests as well.

First I should have mentioned, that all traffic is running over https.
I access bugzilla on the server (currently on the internet over ddns for testing) with https://mysite.de/bugzilla.

My cookiepath is "/bugzilla/". The web root directory is /webroot/html, bugzilla is installed in /webroot/html/bugzilla.

urlbase is https://mysite.de/bugzilla
ssl_redirect is on.
sslbase is empty.
rememberlogin is on.
requirelogin is on.
password_check_on_login is on.
cookiedomain is empty.
strict_transport_security is off.

Do you have a guess how I can fix the missing/invalid token?

And to be absolutely sure, here is the part of the apache vhost file for bugzilla:

        <Directory /webroot/html/bugzilla>
                Addhandler cgi-script .cgi .pl
                Options +Indexes +ExecCGI +FollowSymLinks
                DirectoryIndex index.cgi index.html
                AllowOverride All
        </Directory>
0
marc
11/30/2018 7:32:21 PM
Guten Tag marc.schoendorf@gmail.com,
am Freitag, 30. November 2018 um 20:32 schrieben Sie:

> Thank, that was the information I needed. It seems you're guess was
> right. My value field ist empty, so I guess the token is invalid. Here th=
e details:

I suggest having a look at the network parts of your browser and
reload the main page multiple times to see if you get redirected
somehow. Additionally, after each request check for the token in the
HTML.

> My cookiepath is "/bugzilla/". The web root directory is
> /webroot/html, bugzilla is installed in /webroot/html/bugzilla.

Reads correct an in line witht he docs to me.

> urlbase is https://mysite.de/bugzilla
> ssl_redirect is on.
> sslbase is empty.

An empty sslbase doesn't sound right, check with urlbase HTTP and
sslbase HTTPS. Read the docs for ssl_redirect, it makes clear to rely
on sslbase.

> Do you have a guess how I can fix the missing/invalid token?

The token is empty for me after a logout as well without reloading the
page. But directly logging in afterwards succeeds, so it might not=20
be the token at all.

Mit freundlichen Gr=FC=DFen,

Thorsten Sch=F6ning

--=20
Thorsten Sch=F6ning       E-Mail: Thorsten.Schoening@AM-SoFT.de
AM-SoFT IT-Systeme      http://www.AM-SoFT.de/

Telefon...........05151-  9468- 55
Fax...............05151-  9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Gesch=E4ftsf=FChrer: Andreas Muchow

0
windows
11/30/2018 8:15:47 PM
> An empty sslbase doesn't sound right, check with urlbase HTTP and
> sslbase HTTPS. Read the docs for ssl_redirect, it makes clear to rely
> on sslbase.

I fixed that, but it has no effect on the error.

> The token is empty for me after a logout as well without reloading the
> page. But directly logging in afterwards succeeds, so it might not=20
> be the token at all.
I tried some situations, and it seems that I only get the error message whe=
n the value of the token is empty. It's only empty after direct logout with=
out reloading the page, as you said. When I reload the page after logout, t=
he login always succeeds. Is this an error on my side, or should it be cons=
idered as a bug?

I will now have a look about the re-login prompt. If this is gone as well, =
I think that problem is solved for me.
0
marc
11/30/2018 8:33:24 PM
Guten Tag marc.schoendorf@gmail.com,
am Freitag, 30. November 2018 um 21:33 schrieben Sie:

> I tried some situations, and it seems that I only get the error
> message when the value of the token is empty. It's only empty after
> direct logout without reloading the page, as you said. When I reload
> the page after logout, the login always succeeds. Is this an error
> on my side, or should it be considered as a bug?

A bug is less likely if things seem to work for most people and with a
fairly standard installation like I have. Check the following first:

Open the start page, log in, open the dev tools of your browser, open
the network tab, reload the page to make it see something. Log out
WITHOUT reloading the page, have a look at the response of "index.cgi"
regarding cookies. It should look like the following:

> Set-Cookie: Bugzilla_login_request_cookie=3D8zTrSxlxlX; path=3D/; HttpOnly
> Set-Cookie: Bugzilla_login=3DX; path=3D/; expires=3DTue, 15-Sep-1998 21:4=
9:00 GMT
> Set-Cookie: sudo=3DX; path=3D/; expires=3DTue, 15-Sep-1998 21:49:00 GMT
> Set-Cookie: Bugzilla_logincookie=3DX; path=3D/; expires=3DTue, 15-Sep-199=
8 21:49:00 GMT

Open the login form still WITHOUT reloading, log in and have another
look at cookies in the request and response to "index.cgi". This looks
like the following for me:

> Cookie: BUGLIST=3D2134;[...]Bugzilla_login_request_cookie=3D8zTrSxlxlX

> Set-Cookie: Bugzilla_logincookie=3DFOG5ogf8oE; path=3D/; expires=3DFri, 0=
1-Jan-2038 00:00:00 GMT; HttpOnly
> Set-Cookie: Bugzilla_login=3D1; path=3D/; expires=3DFri, 01-Jan-2038 00:0=
0:00 GMT; HttpOnly

The important thing is "Bugzilla_login_request_cookie", if that is
missing after your log out for some reason, you get your error
message. Same with if it's not send during login.

If it's not missing and is send, I'm running out of ideas. :-) Than
the only explanation left for your problem for me would be that the
cookie is invalid already when used during login and I have no idea
how that could happen.

Mit freundlichen Gr=FC=DFen,

Thorsten Sch=F6ning

--=20
Thorsten Sch=F6ning       E-Mail: Thorsten.Schoening@AM-SoFT.de
AM-SoFT IT-Systeme      http://www.AM-SoFT.de/

Telefon...........05151-  9468- 55
Fax...............05151-  9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Gesch=E4ftsf=FChrer: Andreas Muchow

0
windows
12/1/2018 9:03:46 AM
Reply: