Trac Cookie Revocation

Last week there was some spam posted to the WordPress core bug tracker. The accounts involved can easily have their access to blocked and their passwords changed to invalidate the cookies used to access the forums. This also stops them from logging into the bug tracker again. However, the trac_auth cookie — the cookie that Trac uses to authenticate a browser to a particular user account after valid login details are provided — is not tied to a user’s password; instead the cookie stores a random string that can be verified against the auth_cookie table in the Trac database. This means that until this cookie expires, when the user closes their browser or 10 days after initial sign-on, the spammer is able to remain authenticated to their profile on and can continue to post their spam on the bug tracker.

So, because I was curious (and I had to find something to do other than revision for a machine learning test on Tuesday), I decided to write a short Trac plugin to allow a TRAC_ADMIN user to revoke user cookies. The plugin registers a new administration panel and provides the HTML template for its display. The new panel is just a simple form with a single input for entering the target’s username. After the form is submitted the plugin handles the POST request to delete the row in the auth_cookie table which matches the given name. On future requests to the Trac instance the value stored in the user’s trac_auth cookie will no longer match an entry in the database and so the user will not be authenticated.

Revoking a trac_auth cookie

The code can be found on github. Currently the master branch and the 0.1 tag can be run with Trac versions greater than 0.12 whilst the develop branch contains a small update to make use of enhancements to the Trac database API in the unreleased Trac 0.13.

I found the process of writing a Trac plugin to be quite interesting and fun. Using my (basic) python knowledge again was a good experience too. I already have a project lined up which requires a Trac plugin to be developed, so this was also a nice, easy way to set up the necessary development environment in advance and get myself acquainted with the API.

This entry was posted on 26 October 2011.