Bug 134022: PERFORMANCE: deleting old login cookies locks login checks

Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=mkanat

Bug 134022: PERFORMANCE: deleting old login cookies locks login checks
5c76819f · mkanat%bugzilla.org · 1be84df9 · 5c76819f · 5c76819f · 5c76819f
Commit 5c76819f authored Jan 20, 2009 by mkanat%bugzilla.org
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 11 deletions

Auth.pm Bugzilla/Auth.pm +5 -11

Cookie.pm Bugzilla/Auth/Persist/Cookie.pm +9 -0

Constants.pm Bugzilla/Constants.pm +3 -0

No files found.
--- a/Bugzilla/Auth.pm
+++ b/Bugzilla/Auth.pm
@@ -151,23 +151,17 @@ sub _handle_login_result {
        ThrowCodeError($result->{error}, $result->{details});
    }
    elsif ($fail_code == AUTH_NODATA) {
-        if ($login_type == LOGIN_REQUIRED) {
+        $self->{_info_getter}->fail_nodata($self) 
-            # This seems like as good as time as any to get rid of
+            if $login_type == LOGIN_REQUIRED;
-            # old crufty junk in the logincookies table.  Get rid
-            # of any entry that hasn't been used in a month.
+        # If we're not LOGIN_REQUIRED, we just return the default user.
-            $dbh->do("DELETE FROM logincookies WHERE " .
-                     $dbh->sql_to_days('NOW()') . " - " .
-                     $dbh->sql_to_days('lastused') . " > 30");
-            $self->{_info_getter}->fail_nodata($self);
-        }
-        # Otherwise, we just return the "default" user.
        $user = Bugzilla->user;
    }
    # The username/password may be wrong
    # Don't let the user know whether the username exists or whether
    # the password was just wrong. (This makes it harder for a cracker
    # to find account names by brute force)
-    elsif (($fail_code == AUTH_LOGINFAILED) || ($fail_code == AUTH_NO_SUCH_USER)) {
+    elsif ($fail_code == AUTH_LOGINFAILED or $fail_code == AUTH_NO_SUCH_USER) {
        ThrowUserError("invalid_username_or_password");
    }
    # The account may be disabled

--- a/Bugzilla/Auth/Persist/Cookie.pm
+++ b/Bugzilla/Auth/Persist/Cookie.pm
@@ -60,6 +60,8 @@ sub persist_login {
    # subsequent login
    trick_taint($ip_addr);
+    $dbh->bz_start_transaction();
    my $login_cookie = 
        Bugzilla::Token::GenerateUniqueToken('logincookies', 'cookie');
@@ -67,6 +69,13 @@ sub persist_login {
              VALUES (?, ?, ?, NOW())",
              undef, $login_cookie, $user->id, $ip_addr);
+    # Issuing a new cookie is a good time to clean up the old
+    # cookies.
+    $dbh->do("DELETE FROM logincookies WHERE lastused < LOCALTIMESTAMP(0) - "
+             . $dbh->sql_interval(MAX_LOGINCOOKIE_AGE, 'DAY'));
+    $dbh->bz_commit_transaction();
    # Prevent JavaScript from accessing login cookies.
    my %cookieargs = ('-httponly' => 1);

--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -142,6 +142,7 @@ use File::Basename;
    ON_WINDOWS
    MAX_TOKEN_AGE
+    MAX_LOGINCOOKIE_AGE
    SAFE_PROTOCOLS
@@ -363,6 +364,8 @@ use constant FIELD_TYPE_BUG_ID  => 6;
 # The maximum number of days a token will remain valid.
 use constant MAX_TOKEN_AGE => 3;
+# How many days a logincookie will remain valid if not used.
+use constant MAX_LOGINCOOKIE_AGE => 30;
 # Protocols which are considered as safe.
 use constant SAFE_PROTOCOLS => ('afs', 'cid', 'ftp', 'gopher', 'http', 'https',