Ticket #2417 (closed enhancement: wontfix)
Opened 6 years ago
Last modified 17 months ago
Customizable trac_auth cookie domain
| Reported by: | trac@… | Owned by: | jonas |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | web frontend | Version: | devel |
| Severity: | normal | Keywords: | authentication trac_auth domain needfixup |
| Cc: | lm@… | ||
| Release Notes: | |||
| API Changes: | |||
Description
We're using Kerberos over HTTP Basic authentication with Trac. To reduce the CPU load on the Web server we'd like to redirect to SSL only for the authentication request, then go back to regular HTTP otherwise. We can do this with Apache directives, but the cookie is not used by the non-SSL server (which has a different hostname, per university policy). I ended up having to hack web/auth.py to add in LoginModule?._do_login:
req.outcookie['trac_auth']['domain'] = 'acm.uiuc.edu'
With that, everything seems to work, but it'd be nice to be able to have a trac.ini setting for 'cookie domain'.
Attachments
Change History
comment:1 Changed 5 years ago by sid
- Keywords authentication added
comment:2 Changed 5 years ago by Noah Kantrowitz <coderanger@…>
Look at tracforge.linker.auth.CookieMunger for an example of doing this in a plugin. Not pretty, but it works.
comment:3 Changed 5 years ago by cboos
- Keywords consider added
- Milestone set to 0.12
comment:4 Changed 4 years ago by lm@…
As the solution to address the initial bug report is quite simple I suggest to address this in trac instead of moving this to a plugin.
It's required to sent a domain if one is set in trac.ini. Else trac behaves as before. Therefore there is no risk to break existing installations.
Please consider to merge the patch to the upcoming 0.11 release.
Changed 4 years ago by lm@…
- Attachment auth.py.diff added
Check the trac.ini for a trac_auth section to get the domain.
comment:5 Changed 4 years ago by lm@…
The check if the length of the domain string from the environment is greater than zero was added to prevent the system from setting an superfluous and maybe different behavior causing empty variable.
I'm not sure if this is required.
From my point of view this doesn't harm as the operation is cheap and not performed that often,
comment:6 Changed 4 years ago by lm@…
- Cc lm@… added
A reference to this defect was added to the Novell bugzilla system for the openSUSE product. See https://bugzilla.novell.com/show_bug.cgi?id=344775
comment:7 Changed 17 months ago by cboos
- Keywords needfixup added; consider removed
Would be nice to expand the patch with defining an Option, with appropriate documentation.
comment:8 Changed 17 months ago by Lars Müller <lars@…>
Three years later and openslx doesn't longer use track. Therefore I can't test your suggested change. Nevertheless thanks you and the trac project for your support!
comment:9 Changed 17 months ago by cboos
- Component changed from general to web frontend
- Keywords trac_auth domain added
- Milestone next-major-0.1X deleted
- Resolution set to wontfix
- Status changed from new to closed
Thank you for the feedback!
In those 3 years, it also seems that no one else has got a similar need (or they remained silent and just used the patch ;-) ), so I'm now closing as wontfix.
However, if someone else has a similar need, feel free to refresh the patch as requested and then reopen.
Not sure this is going to make it into trunk because it is too specific a problem. Can it be solved with a plugin? wontfix?