id	summary	reporter	owner	description	type	status	priority	component	severity	resolution	keywords	cc	release
9099	[PATCH] Expire trac_auth_session cookie whenever trac_auth cookie gets expired.	janakj	hasienda	AccountManager with Trac 0.12 does not expire trac_auth_session cookie properly. When the user logs out, AccountManager module extends trac_auth_session cookie again, instead of expiring it. Hence the UA keeps resubmitting trac_auth_session with all requests until the next authentication attempt. That can confuse versions of AccountManager without the fix in #9095.\r\n\r\nThe problem is caused by auth.LoginModule._do_logout. AccountManager correctly expires trac_auth_session cookie in its own version of _do_logout and then calls auth.LoginModule._do_logout. That function attempts to obtain the value of req.authname which does not exists yet and that triggers AccountManager.authenticate() which internally calls _get_name_for_cookie which extends the previously expired trac_auth_session cookie again. Hence, trac_auth_session will be extended in the 302 response, instead of expired.\r\n\r\nThe attached patch fixes the issue by overriding function _expire_cookie in AccountManager. The overriding function expires trac_auth_session and then calls auth.LoginModule._expire_cookie. That ensures that both cookies get expired at the same time, i.e., after AccountManager.authenticate.\r\n\r\nAt the same time we remove the call to _expire_session_cookie from AccountManager._do_logout and because the function only calls its super method, the overriding method is no longer needed and can be removed.\r\n	defect	closed	normal	AccountManagerPlugin	normal	fixed	cookie lifetime		0.12