Opened 11 years ago

Closed 7 years ago

#346 closed defect (wontfix)

Once a user has authenticated in the browser, they can type in any username/password on login screen

Reported by: TwoHanded@… Owned by: coderanger
Priority: normal Component: AuthFormPlugin
Severity: normal Keywords:
Cc: coderanger, adeason@… Trac Release: 0.9


Once the user has authenticated in their browser, they are taken to the /login page. There, if they type in a DIFFERENT username and ANY password on the /login page, then they are logged in as that user.

The biggest problem with this is that on the /login screen if you type in a valid username, then you can use ANY password and it will allow you to login.

I am hoping that this is just a problem with my configuration My python skills are slim, or I would try to jump in and figure it out.

Thanks for your help!

Attachments (1)

redirect.diff (555 bytes) - added by adeason@… 11 years ago.
Patch to redirect a user to the project main page upon successful authentication if the page referer is unknown.

Download all attachments as: .zip

Change History (11)

comment:1 Changed 11 years ago by adeason@…

Hmmm, I cannot replicate this here. Can you check your webserver logs, and see if the requests to the HTTP authentication URL are being made properly?

I'm also wondering why users would be taken to the /login page after they login. After they have successfully logged in, they are supposed to be redirected to the page they initially came from. If they are just sent back to the login box again, try looking at the HTML source and see if you see a hidden input element called "ref", and see what it's value is. It's supposed to be the URL of the page that the user is redirected back to when they've successfully authenticated.

After I saw this, though, I realized that if that input element is not set, the user is redirected to... somewhere (possibly the domain root?). Whatever req.redirect() redirects the user to when it's null. I'm attaching a patch that instead redirects the user to the project main page if the referer was not given.

Changed 11 years ago by adeason@…

Patch to redirect a user to the project main page upon successful authentication if the page referer is unknown.

comment:2 Changed 11 years ago by coderanger

  • Resolution set to fixed
  • Status changed from new to closed

(In [745]) Trying to fix #346.

comment:3 Changed 11 years ago by coderanger

Patch applied in [745]. Thanks.

comment:4 Changed 11 years ago by TwoHanded@…

  • Cc coderanger adeason@… added; anonymous removed

Thanks alot for the quick response.

I will try the patch to see if that helps, although it looks like it was designed to fix a different issue. And I will also take a look at the HTML that is rendered. One thing that I forgot to mention is that I am using tracd, so therefore, there aren't any webserver logs to help me troubleshoot what was going on. Is there any type of other logging that I can do or provide to help troubleshoot this issue when using tracd?

Thanks again!

I didn't want to reopen this issue, so I just added you both to the "CC" - I hope that is standard procedure.

comment:5 Changed 11 years ago by coderanger

  • Resolution fixed deleted
  • Status changed from closed to reopened

This wasn't meant to be closed actually, looks like the post-commit script did it.

comment:6 Changed 11 years ago by adeason@…

I've never used tracd, so I don't know a lot about it... but can it actually make a certain URL use HTTP auth? What does it even authenticate against?

comment:7 Changed 11 years ago by anonymous

Here's some info about tracd: including information about authentication.

By default, Tracd provides support for Digest authentication using an htdigest file. Like I mentioned, I can get the authentication to work, that's not a problem. The problem is that once the user is authenticated they can then login as ANY user on the /login page.

comment:8 Changed 11 years ago by adeason@…

There is the standard logging for trac, I remember... have you tried looking at the DEBUG messages from there? No idea if that shows something like an access log or something.

comment:9 Changed 11 years ago by coderanger

I don't think this will actually work very well on tracd, as I would guess it hardcodes some of the auth paths.

comment:10 Changed 7 years ago by coderanger

  • Resolution set to wontfix
  • Status changed from reopened to closed

Plugin is deprecated.

Add Comment

Modify Ticket

as closed The owner will remain coderanger.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.