Edgewall Software

Version 1 (modified by Peter Suter, 11 years ago) ( diff )


A session is a stateful abstraction over the stateless HTTP protocol. Basically, repeated requests from the same user / computer form a session. Per-session state is needed to remember essential information like:

  • If the user is logged in
  • The user's authentication details
  • The user's preferences

This is commonly implemented using cookies.

Session user interface

In Trac's Advanced Preferences the user can save a session key and restore his session from a different computer.

Session administration

Session keys can also be managed using the TracAdmin session commands.

Session API

trac.web.session.Session provides an API to save arbitrary per-session data.

The session for the current web request can be accessed in req.session.

Session storage in the Database

The per-session data is stored in the database. Specifically in the session and the session_attribute tables. (The session key / cookie identifies the relevant entries in these tables.)

Note: as we often manipulate both the session and the session_attribute tables, there's a possibility of table deadlocks (#9705). We try to prevent them to happen by always accessing the tables in the same order within the transaction, first session, then session_attribute.

Session cookie

The session key is stored in the trac_session cookie.

Authentication cookie

The trac.web.auth.LoginModule implements HTTP authentication and stores the trac_auth cookie to identify the user in subsequent requests. The credentials are stored in the auth_cookie database table. (The cookie identifies the relevant entry in that table.)

The lifetime and the path of this cookie can be configured in trac.ini with auth_cookie_lifetime and auth_cookie_path.

Note: See TracWiki for help on using the wiki.