Session

A session is a stateful abstraction over the stateless HTTP protocol. Basically, repeated requests from the same user / computer form a session. Per-session state is needed to remember essential information like:

• Whether the user is logged in.
• The user's authentication details.
• The user's preferences.

This is commonly implemented using cookies.

Session user interface

In Trac's Advanced Preferences the user can save a session key and restore his session from a different computer.

Session administration

Session keys can also be managed using the TracAdmin session commands.

Session API

trac.web.session.Session​ provides an API to save arbitrary per-session data.

The session for the current web request can be accessed in req.session.

Session storage in the Database

The per-session data is stored in the database. Specifically in the session and the session_attribute tables. The session key / cookie identifies the relevant entries in these tables.

Note: as we often manipulate both the session and the session_attribute tables, there's a possibility of table deadlocks (#9705). We try to prevent them by always accessing the tables in the same order within the transaction: first session, then session_attribute.

Session cookie

The session key is stored in the trac_session cookie.

Authentication cookie

The trac.web.auth.LoginModule​ implements HTTP authentication and stores the trac_auth cookie to identify the user in subsequent requests. The credentials are stored in the auth_cookie database table. The cookie identifies the relevant entry in that table.

The lifetime and the path of this cookie can be configured in trac.ini with auth_cookie_lifetime and auth_cookie_path.