Edgewall Software
Modify

Opened 19 years ago

Closed 15 years ago

#2333 closed enhancement (fixed)

Control Expiration of the Auth Cookie

Reported by: bugs.trac@… Owned by: Remy Blank
Priority: normal Milestone: 0.12
Component: general Version: 0.10.3
Severity: normal Keywords: auth expiration cookie patch
Cc: dottedmag@…, felix.schwarz@…, captain.mubbers@… Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Currently, in TRAC, you cannot set how long the auth cookie should hang around, it lasts till the browser is closed.

I have a patch that allows setting a auth_expiration in the trac.ini file.

This is similar (but not the same) as the issues mentioned in:

Ciao!

Attachments (2)

auth_expires.patch (1.2 KB ) - added by bugs.trac@… 19 years ago.
Auth Cookie expiration configuration
2333-auth-cookie-expiration-8391.patch (1.3 KB ) - added by Remy Blank 15 years ago.
Patch against trunk adding configuration for authentication cookie expiration.

Download all attachments as: .zip

Change History (19)

by bugs.trac@…, 19 years ago

Attachment: auth_expires.patch added

Auth Cookie expiration configuration

comment:1 by Christian Boos, 18 years ago

Keywords: needinfo added

Well, I'm not really familiar with that part of the code, but it looks like the cookie is also cleared when you explicitly logout. You didn't explain exactly why you'd like to make the expiration configurable…

So I'm proposing a worksforme (because of the logout), for the sake of cutting down the count of our long standing tickets ;-)

comment:2 by Christian Boos, 18 years ago

Resolution: worksforme
Status: newclosed

As explained above.

comment:3 by peter@…, 18 years ago

Resolution: worksforme
Status: closedreopened
Type: defectenhancement
Version: 0.90.10.3

I would like to re-open this ticket. The change is blindingly simple, and means those of us who use trac constantly don't have to log in over again every time we open our browser.

comment:4 by sid, 17 years ago

Keywords: patch added; needinfo removed

comment:5 by anonymous, 16 years ago

Any news on this? I would love to have this feature. It's uber annoying logging in every time.

comment:6 by Remy Blank, 16 years ago

Milestone: 0.12
Owner: changed from Jonas Borgström to Remy Blank
Status: reopenednew

I'd be willing to implement this in trunk, but I would like to know more precisely what's not working for you currently, and how controlling cookie expiration would solve the issue.

comment:7 by Remy Blank, 16 years ago

#7701 was closed as a duplicate.

in reply to:  6 ; comment:8 by anonymous, 16 years ago

Replying to rblank:

but I would like to know more precisely what's not working for you currently, and how controlling cookie expiration would solve the issue.

More details: cookies without expiration time expire when browser is closed (see the RFC 2109 4.3.1), which is quite inconvenient. If there is an expiration time set in cookie, then you don't have to relogin after reboot, browser crash or just logout/login.

comment:9 by dottedmag@…, 16 years ago

Cc: dottedmag@… added

in reply to:  8 comment:10 by Remy Blank, 16 years ago

Replying to anonymous:

If there is an expiration time set in cookie, then you don't have to relogin after reboot, browser crash or just logout/login.

I understand. Strangely, on this site (trac.edgewall.org), I am sometimes still logged in after a reboot, which should not happen according to your explanation. Firefox must be doing something weird.

comment:11 by dottedmag@…, 16 years ago

t.e.o sets the expiration time in cookie. I don't know how :)

in reply to:  11 ; comment:12 by Remy Blank, 16 years ago

Replying to dottedmag@…:

t.e.o sets the expiration time in cookie. I don't know how :)

Does it? Firefox shows here that they expire "at end of session". Anyway, I think that this would be a good addition, so I'll look into it.

in reply to:  12 ; comment:13 by dottedmag@…, 16 years ago

Replying to rblank:

Does it? Firefox shows here that they expire "at end of session".

For me (as Opera shows) session cookie at t.e.o expires after three months, while on other Tracs the expiration date is not set.

But nevermind :)

comment:14 by Felix Schwarz <felix.schwarz@…>, 16 years ago

Cc: felix.schwarz@… added

comment:15 by ntt <captain.mubbers@…>, 16 years ago

Cc: captain.mubbers@… added

by Remy Blank, 15 years ago

Patch against trunk adding configuration for authentication cookie expiration.

in reply to:  13 comment:16 by Remy Blank, 15 years ago

Replying to dottedmag@…:

For me (as Opera shows) session cookie at t.e.o expires after three months, while on other Tracs the expiration date is not set.

After having looked at the implementation some more, I understand where the difference comes from:

  • Authenticated users get a trac_auth cookie representing authentication information. This cookie expires at the end of the browsing session. On t.e.o, only developers get those.
  • Non-authenticated users get a trac_session cookie representing their session. This cookie expires after 90 days (of inactivity), at the same time as the session is purged from the database.

Anyhow, the patch above is an update for current trunk, and implements an option [trac] auth_cookie_lifetime that specifies the lifetime of the trac_auth cookie in seconds. The default of 0 means "at the end of the browsing session".

Please test.

comment:17 by Remy Blank, 15 years ago

Resolution: fixed
Status: newclosed

Patch applied in [8462].

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Remy Blank.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Remy Blank to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.