id,summary,reporter,owner,description,type,status,priority,component,severity,resolution,keywords,cc,release 9099,[PATCH] Expire trac_auth_session cookie whenever trac_auth cookie gets expired.,Jan Janak,Steffen Hoffmann,"AccountManager with Trac 0.12 does not expire trac_auth_session cookie properly. When the user logs out, AccountManager module extends trac_auth_session cookie again, instead of expiring it. Hence the UA keeps resubmitting trac_auth_session with all requests until the next authentication attempt. That can confuse versions of AccountManager without the fix in #9095. The problem is caused by auth.LoginModule._do_logout. AccountManager correctly expires trac_auth_session cookie in its own version of _do_logout and then calls auth.LoginModule._do_logout. That function attempts to obtain the value of req.authname which does not exists yet and that triggers AccountManager.authenticate() which internally calls _get_name_for_cookie which extends the previously expired trac_auth_session cookie again. Hence, trac_auth_session will be extended in the 302 response, instead of expired. The attached patch fixes the issue by overriding function _expire_cookie in AccountManager. The overriding function expires trac_auth_session and then calls auth.LoginModule._expire_cookie. That ensures that both cookies get expired at the same time, i.e., after AccountManager.authenticate. At the same time we remove the call to _expire_session_cookie from AccountManager._do_logout and because the function only calls its super method, the overriding method is no longer needed and can be removed. ",defect,closed,normal,AccountManagerPlugin,normal,fixed,cookie lifetime,,0.12