Customizable trac_auth cookie domain

[trac@…]

We're using Kerberos over HTTP Basic authentication with Trac. To reduce the CPU load on the Web server we'd like to redirect to SSL only for the authentication request, then go back to regular HTTP otherwise. We can do this with Apache directives, but the cookie is not used by the non-SSL server (which has a different hostname, per university policy). I ended up having to hack web/auth.py to add in LoginModule?._do_login:

req.outcookie['trac_auth']['domain'] = 'acm.uiuc.edu'

With that, everything seems to work, but it'd be nice to be able to have a trac.ini setting for 'cookie domain'.

[sid]

Not sure this is going to make it into trunk because it is too specific a problem. Can it be solved with a plugin? wontfix?

[Noah Kantrowitz <coderanger@…>]

Look at tracforge.linker.auth.CookieMunger for an example of doing this in a plugin. Not pretty, but it works.

[lm@…]

As the solution to address the initial bug report is quite simple I suggest to address this in trac instead of moving this to a plugin.

It's required to sent a domain if one is set in trac.ini. Else trac behaves as before. Therefore there is no risk to break existing installations.

Please consider to merge the patch to the upcoming 0.11 release.

[lm@…]

Check the trac.ini for a trac_auth section to get the domain.

[lm@…]

The check if the length of the domain string from the environment is greater than zero was added to prevent the system from setting an superfluous and maybe different behavior causing empty variable.

I'm not sure if this is required.

From my point of view this doesn't harm as the operation is cheap and not performed that often,

[lm@…]

A reference to this defect was added to the Novell bugzilla system for the openSUSE product. See https://bugzilla.novell.com/show_bug.cgi?id=344775