Safari and multiple trac projects with different authentication

[valankar@…]

I am only able to reproduce this problem with Safari. It seems to work fine with Firefox. I am using Trac 0.9, Safari 1.3.1.

I have 2 Trac projects setup, one called splash and another called splash_old. In the Trac permissions I require authenticated users for all permissions. I have setup htpasswd files to auth the 'login' method. In the htpasswd for splash, I have a user testuser. In the htpasswd for splash_old, I have a user valankar. I have removed all cookies from my browser.

When I go to the splash project, I login as testuser and can work with the project fine. I then go to the splash_old project and do not have permissions. I then click on login. I enter valankar with my password. It then just goes to the same page not logged in (i.e. with the login link still visible). It essentially seems to ignore what I entered. If I click login again, it no longer prompts me, and just reloads the same page, again not logged in.

If I do the exact same sequence with Firefox, it works fine. I can switch between projects and for splash it shows I'm logged in as testuser, and for splash_old, it shows I'm logged in as valankar.

So it seems something related to Safari. I looked at the HTTP requests the browser is making, and I notice at the login click on the 2nd project in Safary, it sends this:

Cookie: trac_auth=36b8db01607d7ab36506ad97d38196b3; trac_auth=eb167bd6b57b7a5dae9a3dee48ef13b2

Note there are 2 trac_auth cookies. The same request in Firefox only has one trac_auth cookie sent in the request. I am guessing this is the culprit.

Is this a bug in Safari? Is there any way around it?

Thanks,

Viraj.

[valankar@…]

A quick fix for this (for modpython at least) is doing something like this before loading the cookies:

# Remove second instance of trac_auth
cookies = re.sub(r'(.*trac_auth.*); trac_auth=\w+', r'\1',
    self.req.headers_in['Cookie'])
self.incookie.load(cookies)

This makes only the first trac_auth cookie to be used, which is the proper one based on the spec described here:

​http://wp.netscape.com/newsref/std/cookie_spec.html

[valankar@…]

​Here is a link to a Python bug report related to this and the Cookie module.

[Christian Boos]

Hm, if this is not happening anymore with more recent versions of Safari, maybe we could close this one…

[Christian Boos]

Assuming this is not an issue anymore… please reopen if the issue is still valid.

[michael.maier@…]

I have had exactly the same problem using Safari 2.0.4 (419.3) and Trac 0.10.5dev, using multiple trac projects in a virtual host. Also, submitting any settings from the settings page resulted in a bad request error "Missing or invalid form token. Do you have cookies enabled?".

But I found a solution giving a hint for a possible reason for this error: The trac environment folder contained one space character; after renaming the directory the error no longer occurs, login works just fine, submitting settings and so on.

[sid]

So you resolved it by getting rid of spaces in your trac environment folder. Thanks for the feedback, Michael.

Sounds like worksforme then.

[epeterson@…]

I'm having this exact same problem still with Trac 10.3 and Safari. No space in my environment folder.

[Christian Boos]

Make sure you're using a recent version of Safari (3.1), as it looks like it's a Safari bug.

[Christian Boos]

Please reopen if the problem still exist with recent Safari version (or other browsers).

[anonymous]

We have from time to time the same problem (bad request…) with multiple trac opened simultaneously. It occurs not on all pcs, only for some users. And we use FF2 or 3, not Safari. The TRAC version we use is a 0.10 r6400.

[Noah Kantrowitz]

Replying to anonymous:

We have from time to time the same problem (bad request…) with multiple trac opened simultaneously. It occurs not on all pcs, only for some users. And we use FF2 or 3, not Safari. The TRAC version we use is a 0.10 r6400.

Pretty clearly not the same bug then. Do not reopen unrelated bugs.

[anonymous]

Thanks for the remark and answer. I have opened the #7897 for it.

[j.beilicke@…]

I have the same problem with recent versions of Trac (0.12) and Safari/Mac (Version 5.0.3). The cookie trac_auth is sent twice by Safari when trying to login. In my case the projects are called "campaigns" and "campaigns-test".

Output from ngrep:

GET /campaigns/report HTTP/1.1
Host: example.org
Accept-Encoding: gzip, deflate
Accept-Language: de-de
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://example.org/campaigns/report
Cookie: trac_auth=38ce5f8974f78484c8c7acdad7c9f0a8; trac_form_token=9381f850cba65c9c2b917644
Connection: keep-alive

...

GET /campaigns-test/report HTTP/1.1
Host: example.org
Accept-Encoding: gzip, deflate
Accept-Language: de-de
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://example.org/campaigns-test/report
Cookie: trac_auth=7a5ed301a7da16e4220ffd6600107396; trac_auth=38ce5f8974f78484c8c7acdad7c9f0a8; trac_form_token=9381f850cba65c9c2b917644
Connection: keep-alive

[j.beilicke@…]

Reopened according to this comment.

[Remy Blank]

That means both sites have the same prefix. I wonder if our cookie path has a trailing "/" or not.

[j.beilicke@…]

Replying to rblank:

That means both sites have the same prefix. I wonder if our cookie path has a trailing "/" or not.

No trailing "/":

HTTP/1.1 302 Found
Date: Mon, 10 Jan 2011 14:46:23 GMT
Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8o
Authentication-Info: rspauth="bb1d2eccef0522c92389a1030b975497", cnonce="35673231c65aeb15d14400abe81915dd", nc=00000001, qop=auth
Location: http://example.org/campaigns/report
Pragma: no-cache
Cache-Control: no-cache
Expires: Fri, 01 Jan 1999 00:00:00 GMT
Set-Cookie: trac_auth=4d8a6d3d8cc7a8e52400c2a7375b8898; Path=/campaigns
Set-Cookie: trac_session=52c319bd297ed06c43d3541d; expires=Mon, 10-Jan-2011 14:46:24 GMT; Path=/campaigns
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain
  
...

GET /campaigns-test/login HTTP/1.1
Host: example.org
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://example.org/campaigns-test/report
Accept-Language: de-de
Accept-Encoding: gzip, deflate
Cookie: trac_session=730441c547cce7c2653a7556; trac_auth=4d8a6d3d8cc7a8e52400c2a7375b8898; trac_form_token=9381f850cba65c9c2b917644
Authorization: Digest username="testuser", realm="testrealm", nonce="A0U3C3+ZBAA=aeff66a194f868a809533129050cba75abe29d9f", uri="/campaigns-test/login", response="0126e6135fdcbed60a6f7dddf4a80bc7", algorithm="MD5", cnonce="c18643575c480fa99c83bdf5ef8603c6", nc=00000001, qop="auth"
Connection: keep-alive

##

HTTP/1.1 302 Found
Date: Mon, 10 Jan 2011 14:47:14 GMT
Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8o
Authentication-Info: rspauth="054ba0bb7c90bcc113dedb514442aa17", cnonce="c18643575c480fa99c83bdf5ef8603c6", nc=00000001, qop=auth
Location: http://example.org/campaigns-test/report
Pragma: no-cache
Cache-Control: no-cache
Expires: Fri, 01 Jan 1999 00:00:00 GMT
Set-Cookie: trac_auth=fa7e592dbad53848fe28875f873a8edb; Path=/campaigns-test
Set-Cookie: trac_session=730441c547cce7c2653a7556; expires=Mon, 10-Jan-2011 14:47:14 GMT; Path=/campaigns-test
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain

##

T 172.16.20.30:54748 -> 172.16.10.151:80 [AP]
GET /campaigns-test/report HTTP/1.1
Host: example.org
Accept-Encoding: gzip, deflate
Accept-Language: de-de
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://example.org/campaigns-test/report
Cookie: trac_auth=fa7e592dbad53848fe28875f873a8edb; trac_auth=4d8a6d3d8cc7a8e52400c2a7375b8898; trac_form_token=9381f850cba65c9c2b917644
Connection: keep-alive

[Remy Blank]

So the next question is: is there supposed to be a trailing slash, or is this a browser bug? Each instance sets only a single trac_auth cookie, but the browser returns both cookies when accessing the "campaigns-test" instance. Can you reproduce the issue with other browsers than Safari?

[Christian Boos]

And also, is this really Safari specific? What do you get with other browsers?

This looks like the same problem as reported in #9951.

[j.beilicke@…]

Replying to cboos:

And also, is this really Safari specific? What do you get with other browsers?

This looks like the same problem as reported in #9951.

Indeed the same problem! Thx for the hint :)

In Firefox everything is fine, Chrome too:

T client-ip:55649 -> server-ip:80 [AP]
  GET /campaigns/login HTTP/1.1..Host: example.org..User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8..Accept: text/html,application/xhtml+xml,application/xml;
  q=0.9,*/*;q=0.8..Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3..Accept-Encoding: gzip,deflate..Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7..Keep-Alive: 600..Connection: keep-alive..Cookie: trac_form_token=7e83fb2
  e42c1e34d0b427bfe; trac_session=74a02ae1d644684c48131b43..Authorization: Digest username="testuser", realm="testrealm", nonce="...", uri="/campaigns/login", algorithm
  =MD5, response="...", qop=auth, nc=00000005, cnonce="b5b2983387b9eb82"....
##
T server-ip:80 -> client-ip:55649 [AP]
  HTTP/1.1 302 Found..Date: Mon, 10 Jan 2011 16:25:55 GMT..Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8o..Authentication-Info: rspauth="...", cnonce="...", nc=00000005, qop=auth..Location: http://example.org/campaigns..Pragma: no-cache..Cache-Control: no-cache..Expires: Fri, 01 Jan 1999 00:00:00 GMT..Set-Cookie: trac_auth=7d2a3eee58a
  5c09b80568ee2daa314af; Path=/campaigns..Set-Cookie: trac_session=74a02ae1d644684c48131b43; expires=Mon, 10-Jan-2011 16:25:55 GMT; Path=/campaigns..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Length: 20..Keep-Ali
  ve: timeout=15, max=98..Connection: Keep-Alive..Content-Type: text/plain........................
  
...

T client-ip:55721 -> server-ip:80 [AP]
  GET /campaigns-test/login HTTP/1.1..Host: example.org..User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8..Accept: text/html,application/xhtml+xml,application
  /xml;q=0.9,*/*;q=0.8..Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3..Accept-Encoding: gzip,deflate..Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7..Keep-Alive: 600..Connection: keep-alive..Cookie: trac_form_token=f9
  3dbe172756560e62241e38; trac_session=1a4c12dcbe579bdf218384e5..Authorization: Digest username="testuser", realm="testrealm", nonce="...", uri="/campaigns-test/login",
   algorithm=MD5, response="...", qop=auth, nc=00000001, cnonce="79d9309502968a55"....                                                                                                             
##
T server-ip:80 -> client-ip:55721 [AP]
  HTTP/1.1 302 Found..Date: Mon, 10 Jan 2011 16:32:32 GMT..Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8o..Authentication-Info: rspauth="...", cnonce="79d9309502968a55", nc=00000001, qop=auth..Location: http://example.org/campaigns-test..Pragma: no-cache..Cache-Control: no-cache..Expires: Fri, 01 Jan 1999 00:00:00 GMT..Set-Cookie: trac_auth=c1202f
  2561b666d64dee26af11a5e4d7; Path=/campaigns-test..Set-Cookie: trac_session=1a4c12dcbe579bdf218384e5; expires=Mon, 10-Jan-2011 16:32:32 GMT; Path=/campaigns-test..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Lengt
  h: 20..Keep-Alive: timeout=15, max=99..Connection: Keep-Alive..Content-Type: text/plain........................

(Chrome similar)

Opera sends the cookie twice like Safari does:

  GET /campaigns-test HTTP/1.1..User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.5; U; de) Presto/2.7.62 Version/11.00..Host: example.org..Accept: text/html, application/xml;q=0.9, application/xhtml+xml, imag
  e/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1..Accept-Language: de,en;q=0.9,en-US;q=0.8,fr;q=0.7..Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0..Auth
  orization: Digest username="testuser", realm="testrealm", uri="/campaigns-test", algorithm=MD5, nonce="...", cnonce="...", qo
  p=auth, nc=00000019, response="..."..Referer: http://example.org/campaigns-test..Cookie: trac_form_token=1dba0aff17dfae9da1deb759; trac_auth=43c7f9d748c7d2c2edc4fb2645b255e0; trac_for
  m_token=00b52f1a601b00154690ad2a; trac_auth=ed921ec42a86927d5085b16a0ce2aa98..Cookie2: $Version=1..Connection: Keep-Alive, TE..TE: deflate, gzip, chunked, identity, trailers....

[Remy Blank]

Ok, let's re-close this ticket and continue on #9951.