#12421 closed defect (duplicate)
Session ID should be alphanumeric is a too restrictive requirement
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | general | Version: | 1.1.6 |
| Severity: | normal | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description (last modified by )
Up to version 1.0 included (strange as the code suggests the opposite… but was working in my tests with 1.1.10), Trac was allowing much more than alphanumeric characters for Session IDs. In 1.1.6, it seems that it is restrictred to alphanumeric ones. I have not seen this change highlighted in the documentation and I don't know the rationale behind but it breaks our site, and probably others, where the user set up by Apache and passed to Trac can be different from a standard userid. In our case it can be an email and thus requires @ and . and possible - which is valid in an email address. We also have some use cases where the user is mapped as a certificate DN and in this case requires /, = and space.
I attach a patch for supporting email addresss as valid SIDs. I let you decided the other characters required for supporting a certificate DN or CommonName are also acceptable.
Attachments (1)
Change History (7)
by , 8 years ago
| Attachment: | session.py.patch added |
|---|
comment:1 by , 8 years ago
| Priority: | high → normal |
|---|---|
| Severity: | critical → normal |
comment:2 by , 8 years ago
| Description: | modified (diff) |
|---|
comment:3 by , 8 years ago
That limitation is for anonymous users. SID for authenticated users has no limitation. I don't understand you don't set up authentication.
$ ~/venv/trac/1.0.10/bin/trac-admin ~/var/trac/1.0-sqlite Welcome to trac-admin 1.0.10 Interactive Trac administration console. Copyright (C) 2003-2013 Edgewall Software Type: '?' or 'help' for help on commands. Trac [/home/jun66j5/var/trac/1.0-sqlite]> session list SID Auth Last Visit Name Email ----------------------------------------------------------------------------- 80cd7433754ad02d8e3184fb 0 2016-03-28 Test admin 1 2016-03-14 Jun Omae jun66j5@gmail.com admin@example.org 1 2016-03-28
comment:5 by , 8 years ago
| Milestone: | next-dev-1.1.x |
|---|---|
| Resolution: | → duplicate |
| Status: | new → closed |
Okay. Trac 1.1.6 has the same issue as #12129. The issue has been fixed in trunk. However, Trac 1.1.x is development release. We don't recommend to use in production environment.
comment:6 by , 8 years ago
Sorry for the duplicate, I searched existing tickets but forgot to look for closed tickets, this is probably with I didn't find it…
As I said it was working in my tests with 1.0.9 and 1.0.10 and this is because it was fixed after 1.0.7. My report was about 1.1.6 that I just tested (this is the only issue I found so far!): I didn't check the trunk.
session.py patch for a less restrictive SIDs