Edgewall Software
Modify

Opened 3 years ago

Closed 3 years ago

#12251 closed enhancement (fixed)

Add option to share cookies across subdomains

Reported by: Ryan J Ollos Owned by: Ryan J Ollos
Priority: normal Milestone: 1.2
Component: web frontend Version:
Severity: normal Keywords: cookie
Cc:
Release Notes:

The option [trac] auth_cookie_domain sets the domain attribute of the auth cookie, allowing cookies to be shared across subdomains.

API Changes:

Description

SO:23086139/121694 describes setting the cookie domain attribute so that it's shared across subdomains.

Attachments (1)

t12251.patch (1.6 KB ) - added by Ryan J Ollos 3 years ago.

Download all attachments as: .zip

Change History (8)

Changed 3 years ago by Ryan J Ollos

Attachment: t12251.patch added

comment:1 Changed 3 years ago by Ryan J Ollos

Proposed change in t12251.patch.

comment:2 Changed 3 years ago by Ryan J Ollos

I did some additional testing today and the patch doesn't seem to be working the way I remember. I've configured my system with the following in /etc/hosts:

127.0.0.1 sub1.example.com
127.0.0.1 sub2.example.com

I created two Trac environments and I'm running tracd on port 8005. I access the two Trac instances through the URLs sub1.example.com/proj1 and sub2.example.com/proj2. I've set [trac] auth_cookie_domain to example.com.

When logging-in I can see the domain set in the header:

Set-Cookie:trac_auth=e9fb12b1b9a5d71e1234a86f845c13a4; Domain=example.com; httponly; Path=/proj2

I've tried with [trac] auth_cookie_path unset, as well as set to /. I was expecting that, after logging into one Trac instance I could refresh the page on the other, the second Trac instance would have the same trac_auth cookie value as the first and I'd be authenticated with the second Trac instance.

Does anyone see where I've made an error, either in the patch, or in my expectations of the behavior?

comment:3 in reply to:  2 Changed 3 years ago by Ryan J Ollos

Replying to Ryan J Ollos:

Does anyone see where I've made an error, either in the patch, or in my expectations of the behavior?

I didn't understand that a Component such as SharedCookieAuthPlugin is needed to share authentication across projects. t12251.patch works correctly when SharedCookieAuthPlugin is enabled, so I propose to commit the change. In #12257 I propose to add the equivalent of SharedCookieAuthPlugin to tracopt.web.auth.

Last edited 3 years ago by Ryan J Ollos (previous) (diff)

comment:4 Changed 3 years ago by Ryan J Ollos

I considered that it might not be necessary to have a [trac] auth_cookie_domain option if the domain could be parsed from [trac] base_url. However, parsing the domain name from the URL seems to be non-trivial, as discussed in SO:1066947/121694.

comment:5 Changed 3 years ago by Ryan J Ollos

Release Notes: modified (diff)

comment:6 in reply to:  4 Changed 3 years ago by Jun Omae

Replying to Ryan J Ollos:

I considered that it might not be necessary to have a [trac] auth_cookie_domain option if the domain could be parsed from [trac] base_url.

No. We cannot use base_url option. The option is normally specified with absolute URL.

Also, If the server omits the Domain attribute, the user agent will return the cookie only to the origin server. If the domain attribute is present, the cookie will be sent for its subdomains. See https://tools.ietf.org/html/rfc6265#section-4.1.2.3.

Therefore, the behavior isn't same between with the domain attribute and without.

Last edited 3 years ago by Jun Omae (previous) (diff)

comment:7 Changed 3 years ago by Ryan J Ollos

Resolution: fixed
Status: assignedclosed

Committed to trunk in [14370].

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted.
to The owner will be changed from Ryan J Ollos to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.