Mailing List Archive

logging out all authenticated users
In our installation of trac 1.2, the only way I can disable a user login is
by
removing them manually from the file pointed at by htdigest_file=
in trac.ini's [account-manager] section.
(somehow, web admin interface does not do this :-( )

However, the user is still able to modify trac contents, as long as they
didn't log out in the browser (even after a reboot of the trac server).
So they still hold some kind of login/access token.

Question: how does one log out all the users from the server side?
(i.e., expire their access tokens) ?

------------------

We need this to make the trac server read-only.

Thanks,
Dima





--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/0fdf044e-ef7b-4430-86ae-bc7ed5b2b95bn%40googlegroups.com.
Re: logging out all authenticated users [ In reply to ]
I'm now running "trac-admin <instance> session delete $uid" for all 3000+
sessions I see in the output of "trac-admin <instance> session list
authenticated"

Will it have the desired effect?

On Monday, January 30, 2023 at 4:54:39 PM UTC Dima Pasechnik wrote:

> In our installation of trac 1.2, the only way I can disable a user login
> is by
> removing them manually from the file pointed at by htdigest_file=
> in trac.ini's [account-manager] section.
> (somehow, web admin interface does not do this :-( )
>
> However, the user is still able to modify trac contents, as long as they
> didn't log out in the browser (even after a reboot of the trac server).
> So they still hold some kind of login/access token.
>
> Question: how does one log out all the users from the server side?
> (i.e., expire their access tokens) ?
>
> ------------------
>
> We need this to make the trac server read-only.
>
> Thanks,
> Dima
>
>
>
>
>
>

--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/9a52c77d-3a62-40c2-986c-52b80c48f975n%40googlegroups.com.
Re: logging out all authenticated users [ In reply to ]
On Tue, Jan 31, 2023 at 1:54 AM Dima Pasechnik <dimpase@gmail.com> wrote:
> Question: how does one log out all the users from the server side?
> (i.e., expire their access tokens) ?

Try to delete records in auth_cookie table.

--
Jun Omae <jun66j5@gmail.com> (?? ?)

--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/CAEVLMagh2qjTG97deUwL3%3DVWvGguDbuoDB8PzzCaSGvK7aQ40A%40mail.gmail.com.
Re: logging out all authenticated users [ In reply to ]
On Mon, Jan 30, 2023 at 11:23 PM Jun Omae <jun66j5@gmail.com> wrote:
>
> On Tue, Jan 31, 2023 at 1:54 AM Dima Pasechnik <dimpase@gmail.com> wrote:
> > Question: how does one log out all the users from the server side?
> > (i.e., expire their access tokens) ?
>
> Try to delete records in auth_cookie table.

Where is this table? I only see

[trac]
auth_cookie_path =

in trac.ini


>
> --
> Jun Omae <jun66j5@gmail.com> (?? ?)
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Trac Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/trac-users/9BrEiSNmxQ8/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to trac-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/CAEVLMagh2qjTG97deUwL3%3DVWvGguDbuoDB8PzzCaSGvK7aQ40A%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/CAAWYfq3UNNAbHeDx8S%3D3at%2B6GLNsvGw%3DoAR%2B3agxPey29We_9A%40mail.gmail.com.
Re: logging out all authenticated users [ In reply to ]
On Tue, Jan 31, 2023 at 8:53 AM Dima Pasechnik <dimpase@gmail.com> wrote:
>
> On Mon, Jan 30, 2023 at 11:23 PM Jun Omae <jun66j5@gmail.com> wrote:
> >
> > On Tue, Jan 31, 2023 at 1:54 AM Dima Pasechnik <dimpase@gmail.com> wrote:
> > > Question: how does one log out all the users from the server side?
> > > (i.e., expire their access tokens) ?
> >
> > Try to delete records in auth_cookie table.
>
> Where is this table? I only see

I said "table". Table is typically stored in database....
See [trac] database option in your Trac environment.

See also:

- https://trac.edgewall.org/wiki/1.2/TracInstall#MandatoryDependencies
- https://trac.edgewall.org/wiki/DatabaseBackend

--
Jun Omae <jun66j5@gmail.com> (?? ?)

--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/CAEVLMagU9u-8u2q90xV%2Bndzf9LY3Md2%2BBp-rk_yBjfL9P-xb7w%40mail.gmail.com.
Re: logging out all authenticated users [ In reply to ]
On Tue, Jan 31, 2023 at 12:12 AM Jun Omae <jun66j5@gmail.com> wrote:
>
> On Tue, Jan 31, 2023 at 8:53 AM Dima Pasechnik <dimpase@gmail.com> wrote:
> >
> > On Mon, Jan 30, 2023 at 11:23 PM Jun Omae <jun66j5@gmail.com> wrote:
> > >
> > > On Tue, Jan 31, 2023 at 1:54 AM Dima Pasechnik <dimpase@gmail.com> wrote:
> > > > Question: how does one log out all the users from the server side?
> > > > (i.e., expire their access tokens) ?
> > >
> > > Try to delete records in auth_cookie table.
> >
> > Where is this table? I only see
>
> I said "table". Table is typically stored in database....
> See [trac] database option in your Trac environment.

Yes, I see now, thanks. Looking at the code in `web/auth.py`, I see a
search for a
cookie for the user. And there are functions (in LoginModule) for
getting the user name from a cookie:
_cookie_to_name() and _get_name_for_cookie()
- which don't seem to make any attempt to verify that the user name
they get from the DB
record is a valid user (this is in Trac 1.2, as well as in the latest
Trac 1.5.3)
Then _get_name_for_cookie() gets called in authenticate(), and again,
no attempt to validate the user
is done.

From what we observe in Trac 1.2, users granted TRAC_ADMIN still have
their auth cookies
in the DB, and are able to modify comments in tickets, despite being
removed as TRAC_ADMINS, through the web admin,
and removed from the list of users in the file pointed to by htdigest_file=
in trac.ini's [account-manager] section.
(and with their sessions removed via "trac-admin <> session delete <user>")
So it seems that such removals don't trigger the purge of their auth
cookies from the database,
even after full restart of trac. Shouldn't there a startup check being
done on users and cookies for
users no longer present be invalidated?
Was this ever reported as a bug?

Anyhow, assuming all the authenticated access to tickets going via
authenticate() in LoginModule, it should
be trivial to make tickets read-only by making the latter return None
all the time...

Thanks,
Dima

>
> See also:
>
> - https://trac.edgewall.org/wiki/1.2/TracInstall#MandatoryDependencies
> - https://trac.edgewall.org/wiki/DatabaseBackend
>
> --
> Jun Omae <jun66j5@gmail.com> (?? ?)
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Trac Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/trac-users/9BrEiSNmxQ8/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to trac-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/CAEVLMagU9u-8u2q90xV%2Bndzf9LY3Md2%2BBp-rk_yBjfL9P-xb7w%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/CAAWYfq3sDHJ-OCVR2V11E-2d03rTpdJ3QsQAf9Cmu2b-fsC1tQ%40mail.gmail.com.