wiki:SharedCookieAuthPlugin

Share Trac cookies between projects in the same environment

Description

SharedCookieAuthPlugin allows cookies to be shared between Trac instances in the same environment (i.e. directory). The plugin monkey-patches trac.web.auth.LoginModule so that cookies get set at / instead of req.base_path (See following note). The incoming request is then passed by the authenticate method of the IAuthenticator interface to projects that peer the project of interest to see if the user is authenticated there. This enables single-sign on for Trac projects in the same directory.

Note1: As per request in T#8486 a new configuration option, has been introduced to Trac with changeset T:[9226], that accomplished this:

[trac]
auth_cookie_path = /var/www/trac

So this has been made a part of Trac, and a simplified plugin version (not yet available) should work for Trac version >= 0.12 without that monkey-patching.

Note2: Before recent maintainer take-over, this plugin inspired a native Single-Sign-On functionality in AccountManagerPlugin, that is stable, available since acct_mgr-0.4 and even solves some of the shortcomings of this plugin. Most importantly login/logout works from any Trac environment sharing identical cookie path settings.

Configuration

To make this work you will need to select one of the project to be the master authenticator, the other (slave) projects should be configured to pass the authenticate request onto the master project. This is to avoid one project to kill the auth_cookie if the login was made in another project. Unfortunately this means that login and logout can only be made in the master project.

So for the slave projects you'll need to disable the normal way of authentication while enabling the sharedcookieauth:

[components]
sharedcookieauth.* = enabled
trac.web.auth.LoginModule = disabled

[trac]
auth_cookie_path = /

And for the master project:

[components]
sharedcookieauth.* = enabled
trac.web.auth.LoginModule = enabled

[trac]
auth_cookie_path = /

The sharedcookieauth should not need to be enabled in the master project, but it shouldn't harm either. Also be aware that the server name used must match or the browser will not share the auth_cookie between the projects

Bugs/Feature Requests

Existing bugs and feature requests for SharedCookieAuthPlugin are here.

If you have any issues, create a new ticket.

Download

Download the zipped source from here.

Source

You can check out SharedCookieAuthPlugin from here using Subversion, or browse the source with Trac.

Example

Install the plugin on multiple Trac instances in the same directory that use cookie-based auth. Then login to one should mirror login to all of them

Recent Changes

[12348] by agitronic on 2012-11-14 17:59:08
Fix multiple call to authenticate problem, closes #5566.

There seem to be a possibility that the authenticate method is
called multiple times during the processing of a request.

Also the '0.11' directory has been renamed to 'trunk' and monkey
patching has been disabled.

[11456] by agitronic on 2012-04-07 11:06:22
Updated maintainer field.
[6275] by k0s on 2009-07-23 20:14:24
point to correct URL

Author/Contributors

Originally developed at The Open Planning Project

Author: k0s
Maintainer: agitronic
Contributors:

Last modified 21 months ago Last modified on Dec 17, 2012 10:49:00 PM