Opened 22 months ago

Last modified 6 months ago

#24144 new defect

Cannot login or submit forms Trac onion site ('must use HTTPS to submit forms')

Reported by: nido Owned by: qbi
Priority: Medium Milestone:
Component: Internal Services/Service - trac Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Attempting to login on the onion service for trac (http://ea5faa5po25cf7fb.onion) results in 'Error: Bad request. Missing or invalid form token. Secure cookies are enabled, you must use https to submit forms.'

The onion service doesn't work with HTTPS.

Child Tickets

Change History (8)

comment:1 Changed 22 months ago by nido

Summary: Cannot login on Trac onion site ('must use HTTPS to submit forms')Cannot login or submit forms Trac onion site ('must use HTTPS to submit forms')

Not only login, but any form submitted, e.g. any custom query.

comment:2 Changed 22 months ago by arma

Yes, this is expected, and not straightforward to fix.

Trac isn't written to be able to think of itself as multiple server names.

Also, it defends itself from having you use it over plain http, and it doesn't know about onion services so it doesn't know to maybe treat them differently.

The ultimate answer is probably to get an https cert for trac's onion service (which will be more straightforward once onion services are permitted to get DV https certs), and also to rewrite trac as needed so it can handle being multiple server names.

In the mean time, it's probably simplest to close this ticket as a "wontfix", in that we would welcome a trac rewrite but I can't imagine anybody is actually going to do it.

comment:3 Changed 20 months ago by cypherpunks

Error: Bad Request

Missing or invalid form token. Secure cookies are enabled, you must use https to submit forms.

comment:4 Changed 20 months ago by cypherpunks

trac 1.2.2

trac/web/main.py line 230 ~ 234:

if self.env.secure_cookies and req.scheme == 'http':

msg = _('Secure cookies are enabled, you must '

'use https to submit forms.')

else:

msg = _('Do you have cookies enabled?')

Remove or uncomment these might be the answer.

I tried to ask this question to trac mailling list but it's using google maillist.
I don't want to connect to google.com.

Last edited 20 months ago by cypherpunks (previous) (diff)

comment:5 Changed 20 months ago by cypherpunks

Reviewer: arma
Status: newneeds_review

comment:6 Changed 6 months ago by arma

No, I don't think that by itself will work -- we don't want to make the cookies insecure (i.e. make the browser willing to send them to http sites), so just changing how the server handles it when it receives a cookie won't be enough.

comment:7 Changed 6 months ago by arma

Reviewer: arma
Status: needs_reviewnew

(making me a reviewer on a ticket does not mean that i am any more likely to review the ticket. in fact, it can mean the opposite.)

comment:8 Changed 6 months ago by teor

(It also means that no-one else will review the ticket.)

Note: See TracTickets for help on using tickets.