Control Expiration of the Auth Cookie

[bugs.trac@…]

Currently, in TRAC, you cannot set how long the auth cookie should hang around, it lasts till the browser is closed.

I have a patch that allows setting a auth_expiration in the trac.ini file.

This is similar (but not the same) as the issues mentioned in:

• ticket:599
• ticket:788
• ticket:791

Ciao!

[bugs.trac@…]

Auth Cookie expiration configuration

[Christian Boos]

Well, I'm not really familiar with that part of the code, but it looks like the cookie is also cleared when you explicitly logout. You didn't explain exactly why you'd like to make the expiration configurable…

So I'm proposing a worksforme (because of the logout), for the sake of cutting down the count of our long standing tickets ;-)

[Christian Boos]

As explained above.

[peter@…]

I would like to re-open this ticket. The change is blindingly simple, and means those of us who use trac constantly don't have to log in over again every time we open our browser.

[anonymous]

Any news on this? I would love to have this feature. It's uber annoying logging in every time.

[Remy Blank]

I'd be willing to implement this in trunk, but I would like to know more precisely what's not working for you currently, and how controlling cookie expiration would solve the issue.

[Remy Blank]

#7701 was closed as a duplicate.

[anonymous]

Replying to rblank:

but I would like to know more precisely what's not working for you currently, and how controlling cookie expiration would solve the issue.

More details: cookies without expiration time expire when browser is closed (see the RFC 2109 4.3.1), which is quite inconvenient. If there is an expiration time set in cookie, then you don't have to relogin after reboot, browser crash or just logout/login.

[Remy Blank]

Replying to anonymous:

If there is an expiration time set in cookie, then you don't have to relogin after reboot, browser crash or just logout/login.

I understand. Strangely, on this site (trac.edgewall.org), I am sometimes still logged in after a reboot, which should not happen according to your explanation. Firefox must be doing something weird.

[dottedmag@…]

t.e.o sets the expiration time in cookie. I don't know how :)

[Remy Blank]

Replying to dottedmag@…:

t.e.o sets the expiration time in cookie. I don't know how :)

Does it? Firefox shows here that they expire "at end of session". Anyway, I think that this would be a good addition, so I'll look into it.

[dottedmag@…]

Replying to rblank:

Does it? Firefox shows here that they expire "at end of session".

For me (as Opera shows) session cookie at t.e.o expires after three months, while on other Tracs the expiration date is not set.

But nevermind :)

[Remy Blank]

Patch against trunk adding configuration for authentication cookie expiration.

[Remy Blank]

Replying to dottedmag@…:

For me (as Opera shows) session cookie at t.e.o expires after three months, while on other Tracs the expiration date is not set.

After having looked at the implementation some more, I understand where the difference comes from:

• Authenticated users get a trac_auth cookie representing authentication information. This cookie expires at the end of the browsing session. On t.e.o, only developers get those.

• Non-authenticated users get a trac_session cookie representing their session. This cookie expires after 90 days (of inactivity), at the same time as the session is purged from the database.

Anyhow, the patch above is an update for current trunk, and implements an option [trac] auth_cookie_lifetime that specifies the lifetime of the trac_auth cookie in seconds. The default of 0 means "at the end of the browsing session".

Please test.

[Remy Blank]

Patch applied in [8462].