Opened 19 years ago
Closed 15 years ago
#2333 closed enhancement (fixed)
Control Expiration of the Auth Cookie
Reported by: | Owned by: | Remy Blank | |
---|---|---|---|
Priority: | normal | Milestone: | 0.12 |
Component: | general | Version: | 0.10.3 |
Severity: | normal | Keywords: | auth expiration cookie patch |
Cc: | dottedmag@…, felix.schwarz@…, captain.mubbers@… | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
Currently, in TRAC, you cannot set how long the auth cookie should hang around, it lasts till the browser is closed.
I have a patch that allows setting a auth_expiration in the trac.ini file.
This is similar (but not the same) as the issues mentioned in:
Ciao!
Attachments (2)
Change History (19)
by , 19 years ago
Attachment: | auth_expires.patch added |
---|
comment:1 by , 18 years ago
Keywords: | needinfo added |
---|
Well, I'm not really familiar with that part of the code, but it looks like the cookie is also cleared when you explicitly logout. You didn't explain exactly why you'd like to make the expiration configurable…
So I'm proposing a worksforme (because of the logout), for the sake of cutting down the count of our long standing tickets ;-)
comment:3 by , 18 years ago
Resolution: | worksforme |
---|---|
Status: | closed → reopened |
Type: | defect → enhancement |
Version: | 0.9 → 0.10.3 |
I would like to re-open this ticket. The change is blindingly simple, and means those of us who use trac constantly don't have to log in over again every time we open our browser.
comment:4 by , 17 years ago
Keywords: | patch added; needinfo removed |
---|
comment:5 by , 16 years ago
Any news on this? I would love to have this feature. It's uber annoying logging in every time.
follow-up: 8 comment:6 by , 16 years ago
Milestone: | → 0.12 |
---|---|
Owner: | changed from | to
Status: | reopened → new |
I'd be willing to implement this in trunk, but I would like to know more precisely what's not working for you currently, and how controlling cookie expiration would solve the issue.
follow-up: 10 comment:8 by , 16 years ago
Replying to rblank:
but I would like to know more precisely what's not working for you currently, and how controlling cookie expiration would solve the issue.
More details: cookies without expiration time expire when browser is closed (see the RFC 2109 4.3.1), which is quite inconvenient. If there is an expiration time set in cookie, then you don't have to relogin after reboot, browser crash or just logout/login.
comment:9 by , 16 years ago
Cc: | added |
---|
comment:10 by , 16 years ago
Replying to anonymous:
If there is an expiration time set in cookie, then you don't have to relogin after reboot, browser crash or just logout/login.
I understand. Strangely, on this site (trac.edgewall.org), I am sometimes still logged in after a reboot, which should not happen according to your explanation. Firefox must be doing something weird.
follow-up: 12 comment:11 by , 16 years ago
t.e.o sets the expiration time in cookie. I don't know how :)
follow-up: 13 comment:12 by , 16 years ago
Replying to dottedmag@…:
t.e.o sets the expiration time in cookie. I don't know how :)
Does it? Firefox shows here that they expire "at end of session". Anyway, I think that this would be a good addition, so I'll look into it.
follow-up: 16 comment:13 by , 16 years ago
Replying to rblank:
Does it? Firefox shows here that they expire "at end of session".
For me (as Opera shows) session cookie at t.e.o expires after three months, while on other Tracs the expiration date is not set.
But nevermind :)
comment:14 by , 16 years ago
Cc: | added |
---|
comment:15 by , 16 years ago
Cc: | added |
---|
by , 15 years ago
Attachment: | 2333-auth-cookie-expiration-8391.patch added |
---|
Patch against trunk adding configuration for authentication cookie expiration.
comment:16 by , 15 years ago
Replying to dottedmag@…:
For me (as Opera shows) session cookie at t.e.o expires after three months, while on other Tracs the expiration date is not set.
After having looked at the implementation some more, I understand where the difference comes from:
- Authenticated users get a
trac_auth
cookie representing authentication information. This cookie expires at the end of the browsing session. On t.e.o, only developers get those.
- Non-authenticated users get a
trac_session
cookie representing their session. This cookie expires after 90 days (of inactivity), at the same time as the session is purged from the database.
Anyhow, the patch above is an update for current trunk, and implements an option [trac] auth_cookie_lifetime
that specifies the lifetime of the trac_auth
cookie in seconds. The default of 0 means "at the end of the browsing session".
Please test.
Auth Cookie expiration configuration