Opened 3 years ago

Closed 19 months ago

#19963 closed defect (fixed)

Cannot login to trac through the onion service

Reported by: cypherpunks Owned by: qbi
Priority: Medium Milestone:
Component: Internal Services/Service - trac Version:
Severity: Normal Keywords:
Cc: weasel, alex@…, admin@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When i try to login to the cypherpunks account through the onion service at http://ea5faa5po25cf7fb.onion i get the following error message

Missing or invalid form token. Secure cookies are enabled, you must use https to submit forms.

Child Tickets

Change History (9)

comment:1 Changed 3 years ago by cypherpunks

Using the timeline with non-default settings is not remembered/stored because it also depends on cookies that don't work.

comment:2 Changed 3 years ago by cypherpunks

Trying to search with a custom query gives the same error message.

comment:3 Changed 3 years ago by qbi

Cc: weasel added

It seems trac requires cookies with the Secure flag. The Onion Service is only served over HTTP, so one can't log in or can't use trac where cookies are needed. AFAIK it is not so easy to get a certificate for the onion address. So what could be a good way to proceed?

  1. Get a certificate?
  2. Remove this onion service?
  3. Put a warning on the trac homepage?
  4. …?

comment:4 Changed 3 years ago by cypherpunks

Brainstorming:

  • Patch trac to remove the "secure flag" requirement for the onion service.
  • Patch it to not require cookies (It's always annoying to log in here because I have to go adjust browser settings, but I guess it wouldn't be easy to patch).
  • Use a self-signed certificate, but "cheat" and ship it with the Tor Browser.
  • Or make a CA constrained to torproject.org and ship that with the browser.
  • Patch the browser to set secure=1 for .onion URLs. (Proper review to determine the security impact probably makes this not worth the effort.)
  • Figure out how to get a certificate from a CA. Consider it an experiment, and document the process so others can do the same.

comment:5 Changed 3 years ago by acceleraTor

it is also not possible to register! But if use https://trac.torproject.org through Tor it says spam blocked and wants a captcha from recaptcha. this is not the best solution in my opinion.

comment:6 Changed 3 years ago by strugee

Cc: alex@… added

comment:7 Changed 3 years ago by cypherpunks

Closed #22054 as a duplicate.

comment:8 Changed 2 years ago by torland

Cc: admin@… added

comment:9 Changed 19 months ago by cypherpunks

Resolution: fixed
Status: newclosed

Fixed with #21537

Note: See TracTickets for help on using tickets.