Edgewall Software
Modify

Opened 19 years ago

Closed 14 years ago

#2438 closed defect (duplicate)

Safari and multiple trac projects with different authentication

Reported by: valankar@… Owned by: Jonas Borgström
Priority: normal Milestone:
Component: general Version: devel
Severity: normal Keywords: needinfo
Cc: j.beilicke@… Branch:
Release Notes:
API Changes:
Internal Changes:

Description

I am only able to reproduce this problem with Safari. It seems to work fine with Firefox. I am using Trac 0.9, Safari 1.3.1.

I have 2 Trac projects setup, one called splash and another called splash_old. In the Trac permissions I require authenticated users for all permissions. I have setup htpasswd files to auth the 'login' method. In the htpasswd for splash, I have a user testuser. In the htpasswd for splash_old, I have a user valankar. I have removed all cookies from my browser.

When I go to the splash project, I login as testuser and can work with the project fine. I then go to the splash_old project and do not have permissions. I then click on login. I enter valankar with my password. It then just goes to the same page not logged in (i.e. with the login link still visible). It essentially seems to ignore what I entered. If I click login again, it no longer prompts me, and just reloads the same page, again not logged in.

If I do the exact same sequence with Firefox, it works fine. I can switch between projects and for splash it shows I'm logged in as testuser, and for splash_old, it shows I'm logged in as valankar.

So it seems something related to Safari. I looked at the HTTP requests the browser is making, and I notice at the login click on the 2nd project in Safary, it sends this:

Cookie: trac_auth=36b8db01607d7ab36506ad97d38196b3; trac_auth=eb167bd6b57b7a5dae9a3dee48ef13b2

Note there are 2 trac_auth cookies. The same request in Firefox only has one trac_auth cookie sent in the request. I am guessing this is the culprit.

Is this a bug in Safari? Is there any way around it?

Thanks,

Viraj.

Attachments (0)

Change History (20)

comment:1 by valankar@…, 19 years ago

A quick fix for this (for modpython at least) is doing something like this before loading the cookies:

# Remove second instance of trac_auth
cookies = re.sub(r'(.*trac_auth.*); trac_auth=\w+', r'\1',
    self.req.headers_in['Cookie'])
self.incookie.load(cookies)

This makes only the first trac_auth cookie to be used, which is the proper one based on the spec described here:

http://wp.netscape.com/newsref/std/cookie_spec.html

Last edited 14 years ago by Remy Blank (previous) (diff)

comment:2 by valankar@…, 19 years ago

Here is a link to a Python bug report related to this and the Cookie module.

comment:3 by Christian Boos, 18 years ago

Keywords: needinfo added

Hm, if this is not happening anymore with more recent versions of Safari, maybe we could close this one…

comment:4 by Christian Boos, 18 years ago

Resolution: wontfix
Status: newclosed

Assuming this is not an issue anymore… please reopen if the issue is still valid.

comment:5 by michael.maier@…, 18 years ago

Resolution: wontfix
Status: closedreopened
Version: 0.9devel

I have had exactly the same problem using Safari 2.0.4 (419.3) and Trac 0.10.5dev, using multiple trac projects in a virtual host. Also, submitting any settings from the settings page resulted in a bad request error "Missing or invalid form token. Do you have cookies enabled?".

But I found a solution giving a hint for a possible reason for this error: The trac environment folder contained one space character; after renaming the directory the error no longer occurs, login works just fine, submitting settings and so on.

comment:6 by sid, 17 years ago

Resolution: worksforme
Status: reopenedclosed

So you resolved it by getting rid of spaces in your trac environment folder. Thanks for the feedback, Michael.

Sounds like worksforme then.

comment:7 by epeterson@…, 17 years ago

Resolution: worksforme
Status: closedreopened

I'm having this exact same problem still with Trac 10.3 and Safari. No space in my environment folder.

comment:8 by Christian Boos, 17 years ago

Make sure you're using a recent version of Safari (3.1), as it looks like it's a Safari bug.

comment:9 by Christian Boos, 16 years ago

Resolution: invalid
Status: reopenedclosed

Please reopen if the problem still exist with recent Safari version (or other browsers).

comment:10 by anonymous, 16 years ago

Resolution: invalid
Status: closedreopened

We have from time to time the same problem (bad request…) with multiple trac opened simultaneously. It occurs not on all pcs, only for some users. And we use FF2 or 3, not Safari. The TRAC version we use is a 0.10 r6400.

in reply to:  10 comment:11 by Noah Kantrowitz, 16 years ago

Resolution: invalid
Status: reopenedclosed

Replying to anonymous:

We have from time to time the same problem (bad request…) with multiple trac opened simultaneously. It occurs not on all pcs, only for some users. And we use FF2 or 3, not Safari. The TRAC version we use is a 0.10 r6400.

Pretty clearly not the same bug then. Do not reopen unrelated bugs.

comment:12 by anonymous, 16 years ago

Thanks for the remark and answer. I have opened the #7897 for it.

comment:13 by j.beilicke@…, 14 years ago

I have the same problem with recent versions of Trac (0.12) and Safari/Mac (Version 5.0.3). The cookie trac_auth is sent twice by Safari when trying to login. In my case the projects are called "campaigns" and "campaigns-test".

Output from ngrep:

GET /campaigns/report HTTP/1.1
Host: example.org
Accept-Encoding: gzip, deflate
Accept-Language: de-de
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://example.org/campaigns/report
Cookie: trac_auth=38ce5f8974f78484c8c7acdad7c9f0a8; trac_form_token=9381f850cba65c9c2b917644
Connection: keep-alive

...

GET /campaigns-test/report HTTP/1.1
Host: example.org
Accept-Encoding: gzip, deflate
Accept-Language: de-de
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://example.org/campaigns-test/report
Cookie: trac_auth=7a5ed301a7da16e4220ffd6600107396; trac_auth=38ce5f8974f78484c8c7acdad7c9f0a8; trac_form_token=9381f850cba65c9c2b917644
Connection: keep-alive
Last edited 14 years ago by Remy Blank (previous) (diff)

comment:14 by j.beilicke@…, 14 years ago

Resolution: invalid
Status: closedreopened

Reopened according to this comment.

comment:15 by Remy Blank, 14 years ago

That means both sites have the same prefix. I wonder if our cookie path has a trailing "/" or not.

in reply to:  15 comment:16 by j.beilicke@…, 14 years ago

Cc: j.beilicke@… added

Replying to rblank:

That means both sites have the same prefix. I wonder if our cookie path has a trailing "/" or not.

No trailing "/":

HTTP/1.1 302 Found
Date: Mon, 10 Jan 2011 14:46:23 GMT
Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8o
Authentication-Info: rspauth="bb1d2eccef0522c92389a1030b975497", cnonce="35673231c65aeb15d14400abe81915dd", nc=00000001, qop=auth
Location: http://example.org/campaigns/report
Pragma: no-cache
Cache-Control: no-cache
Expires: Fri, 01 Jan 1999 00:00:00 GMT
Set-Cookie: trac_auth=4d8a6d3d8cc7a8e52400c2a7375b8898; Path=/campaigns
Set-Cookie: trac_session=52c319bd297ed06c43d3541d; expires=Mon, 10-Jan-2011 14:46:24 GMT; Path=/campaigns
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain
  
...

GET /campaigns-test/login HTTP/1.1
Host: example.org
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://example.org/campaigns-test/report
Accept-Language: de-de
Accept-Encoding: gzip, deflate
Cookie: trac_session=730441c547cce7c2653a7556; trac_auth=4d8a6d3d8cc7a8e52400c2a7375b8898; trac_form_token=9381f850cba65c9c2b917644
Authorization: Digest username="testuser", realm="testrealm", nonce="A0U3C3+ZBAA=aeff66a194f868a809533129050cba75abe29d9f", uri="/campaigns-test/login", response="0126e6135fdcbed60a6f7dddf4a80bc7", algorithm="MD5", cnonce="c18643575c480fa99c83bdf5ef8603c6", nc=00000001, qop="auth"
Connection: keep-alive

##

HTTP/1.1 302 Found
Date: Mon, 10 Jan 2011 14:47:14 GMT
Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8o
Authentication-Info: rspauth="054ba0bb7c90bcc113dedb514442aa17", cnonce="c18643575c480fa99c83bdf5ef8603c6", nc=00000001, qop=auth
Location: http://example.org/campaigns-test/report
Pragma: no-cache
Cache-Control: no-cache
Expires: Fri, 01 Jan 1999 00:00:00 GMT
Set-Cookie: trac_auth=fa7e592dbad53848fe28875f873a8edb; Path=/campaigns-test
Set-Cookie: trac_session=730441c547cce7c2653a7556; expires=Mon, 10-Jan-2011 14:47:14 GMT; Path=/campaigns-test
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain

##

T 172.16.20.30:54748 -> 172.16.10.151:80 [AP]
GET /campaigns-test/report HTTP/1.1
Host: example.org
Accept-Encoding: gzip, deflate
Accept-Language: de-de
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://example.org/campaigns-test/report
Cookie: trac_auth=fa7e592dbad53848fe28875f873a8edb; trac_auth=4d8a6d3d8cc7a8e52400c2a7375b8898; trac_form_token=9381f850cba65c9c2b917644
Connection: keep-alive
Last edited 14 years ago by Remy Blank (previous) (diff)

comment:17 by Remy Blank, 14 years ago

So the next question is: is there supposed to be a trailing slash, or is this a browser bug? Each instance sets only a single trac_auth cookie, but the browser returns both cookies when accessing the "campaigns-test" instance. Can you reproduce the issue with other browsers than Safari?

comment:18 by Christian Boos, 14 years ago

And also, is this really Safari specific? What do you get with other browsers?

This looks like the same problem as reported in #9951.

in reply to:  18 comment:19 by j.beilicke@…, 14 years ago

Replying to cboos:

And also, is this really Safari specific? What do you get with other browsers?

This looks like the same problem as reported in #9951.

Indeed the same problem! Thx for the hint :)

In Firefox everything is fine, Chrome too:

T client-ip:55649 -> server-ip:80 [AP]
  GET /campaigns/login HTTP/1.1..Host: example.org..User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8..Accept: text/html,application/xhtml+xml,application/xml;
  q=0.9,*/*;q=0.8..Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3..Accept-Encoding: gzip,deflate..Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7..Keep-Alive: 600..Connection: keep-alive..Cookie: trac_form_token=7e83fb2
  e42c1e34d0b427bfe; trac_session=74a02ae1d644684c48131b43..Authorization: Digest username="testuser", realm="testrealm", nonce="...", uri="/campaigns/login", algorithm
  =MD5, response="...", qop=auth, nc=00000005, cnonce="b5b2983387b9eb82"....
##
T server-ip:80 -> client-ip:55649 [AP]
  HTTP/1.1 302 Found..Date: Mon, 10 Jan 2011 16:25:55 GMT..Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8o..Authentication-Info: rspauth="...", cnonce="...", nc=00000005, qop=auth..Location: http://example.org/campaigns..Pragma: no-cache..Cache-Control: no-cache..Expires: Fri, 01 Jan 1999 00:00:00 GMT..Set-Cookie: trac_auth=7d2a3eee58a
  5c09b80568ee2daa314af; Path=/campaigns..Set-Cookie: trac_session=74a02ae1d644684c48131b43; expires=Mon, 10-Jan-2011 16:25:55 GMT; Path=/campaigns..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Length: 20..Keep-Ali
  ve: timeout=15, max=98..Connection: Keep-Alive..Content-Type: text/plain........................
  
...

T client-ip:55721 -> server-ip:80 [AP]
  GET /campaigns-test/login HTTP/1.1..Host: example.org..User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8..Accept: text/html,application/xhtml+xml,application
  /xml;q=0.9,*/*;q=0.8..Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3..Accept-Encoding: gzip,deflate..Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7..Keep-Alive: 600..Connection: keep-alive..Cookie: trac_form_token=f9
  3dbe172756560e62241e38; trac_session=1a4c12dcbe579bdf218384e5..Authorization: Digest username="testuser", realm="testrealm", nonce="...", uri="/campaigns-test/login",
   algorithm=MD5, response="...", qop=auth, nc=00000001, cnonce="79d9309502968a55"....                                                                                                             
##
T server-ip:80 -> client-ip:55721 [AP]
  HTTP/1.1 302 Found..Date: Mon, 10 Jan 2011 16:32:32 GMT..Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8o..Authentication-Info: rspauth="...", cnonce="79d9309502968a55", nc=00000001, qop=auth..Location: http://example.org/campaigns-test..Pragma: no-cache..Cache-Control: no-cache..Expires: Fri, 01 Jan 1999 00:00:00 GMT..Set-Cookie: trac_auth=c1202f
  2561b666d64dee26af11a5e4d7; Path=/campaigns-test..Set-Cookie: trac_session=1a4c12dcbe579bdf218384e5; expires=Mon, 10-Jan-2011 16:32:32 GMT; Path=/campaigns-test..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Lengt
  h: 20..Keep-Alive: timeout=15, max=99..Connection: Keep-Alive..Content-Type: text/plain........................

(Chrome similar)

Opera sends the cookie twice like Safari does:

  GET /campaigns-test HTTP/1.1..User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.5; U; de) Presto/2.7.62 Version/11.00..Host: example.org..Accept: text/html, application/xml;q=0.9, application/xhtml+xml, imag
  e/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1..Accept-Language: de,en;q=0.9,en-US;q=0.8,fr;q=0.7..Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0..Auth
  orization: Digest username="testuser", realm="testrealm", uri="/campaigns-test", algorithm=MD5, nonce="...", cnonce="...", qo
  p=auth, nc=00000019, response="..."..Referer: http://example.org/campaigns-test..Cookie: trac_form_token=1dba0aff17dfae9da1deb759; trac_auth=43c7f9d748c7d2c2edc4fb2645b255e0; trac_for
  m_token=00b52f1a601b00154690ad2a; trac_auth=ed921ec42a86927d5085b16a0ce2aa98..Cookie2: $Version=1..Connection: Keep-Alive, TE..TE: deflate, gzip, chunked, identity, trailers....

comment:20 by Remy Blank, 14 years ago

Resolution: duplicate
Status: reopenedclosed

Ok, let's re-close this ticket and continue on #9951.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.