Edgewall Software
Modify

Opened 14 years ago

Closed 9 years ago

#2417 closed enhancement (wontfix)

Customizable trac_auth cookie domain

Reported by: trac@… Owned by: Jonas Borgström
Priority: normal Milestone:
Component: web frontend Version: devel
Severity: normal Keywords: authentication trac_auth domain needfixup
Cc: lm@… Branch:
Release Notes:
API Changes:

Description

We're using Kerberos over HTTP Basic authentication with Trac. To reduce the CPU load on the Web server we'd like to redirect to SSL only for the authentication request, then go back to regular HTTP otherwise. We can do this with Apache directives, but the cookie is not used by the non-SSL server (which has a different hostname, per university policy). I ended up having to hack web/auth.py to add in LoginModule._do_login:

req.outcookie['trac_auth']['domain'] = 'acm.uiuc.edu'

With that, everything seems to work, but it'd be nice to be able to have a trac.ini setting for 'cookie domain'.

Attachments (1)

auth.py.diff (542 bytes ) - added by lm@… 12 years ago.
Check the trac.ini for a trac_auth section to get the domain.

Download all attachments as: .zip

Change History (10)

comment:1 by sid, 13 years ago

Keywords: authentication added

Not sure this is going to make it into trunk because it is too specific a problem. Can it be solved with a plugin? wontfix?

comment:2 by Noah Kantrowitz <coderanger@…>, 13 years ago

Look at tracforge.linker.auth.CookieMunger for an example of doing this in a plugin. Not pretty, but it works.

comment:3 by Christian Boos, 13 years ago

Keywords: consider added
Milestone: 0.12

comment:4 by lm@…, 12 years ago

As the solution to address the initial bug report is quite simple I suggest to address this in trac instead of moving this to a plugin.

It's required to sent a domain if one is set in trac.ini. Else trac behaves as before. Therefore there is no risk to break existing installations.

Please consider to merge the patch to the upcoming 0.11 release.

by lm@…, 12 years ago

Attachment: auth.py.diff added

Check the trac.ini for a trac_auth section to get the domain.

comment:5 by lm@…, 12 years ago

The check if the length of the domain string from the environment is greater than zero was added to prevent the system from setting an superfluous and maybe different behavior causing empty variable.

I'm not sure if this is required.

From my point of view this doesn't harm as the operation is cheap and not performed that often,

comment:6 by lm@…, 12 years ago

Cc: lm@… added

A reference to this defect was added to the Novell bugzilla system for the openSUSE product. See https://bugzilla.novell.com/show_bug.cgi?id=344775

comment:7 by Christian Boos, 9 years ago

Keywords: needfixup added; consider removed

Would be nice to expand the patch with defining an Option, with appropriate documentation.

comment:8 by Lars Müller <lars@…>, 9 years ago

Three years later and openslx doesn't longer use track. Therefore I can't test your suggested change. Nevertheless thanks you and the trac project for your support!

comment:9 by Christian Boos, 9 years ago

Component: generalweb frontend
Keywords: trac_auth domain added
Milestone: next-major-0.1X
Resolution: wontfix
Status: newclosed

Thank you for the feedback!

In those 3 years, it also seems that no one else has got a similar need (or they remained silent and just used the patch ;-) ), so I'm now closing as wontfix.

However, if someone else has a similar need, feel free to refresh the patch as requested and then reopen.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to as closed The owner will be changed from Jonas Borgström to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.