Hi Remy, Many, many thanks (again) for your answers and links.
~ mark c > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Remy Blank > Sent: 14 November 2011 21:27 > To: [email protected] > Subject: Re: [Trac] Session validation / timeout > > Cooke, Mark wrote: > > ~ are the session IDs at least 64-bits of random data? > > - Anonymous session cookies have 24 hex digits = 96 bits of > random data: > > http://trac.edgewall.org/browser/trunk/trac/web/session.py?rev=10826&marks=189#L184 > > - Authentication cookies have 32 hex digits = 128 bits of > random data: > > http://trac.edgewall.org/browser/trunk/trac/web/auth.py?rev=10815&marks=172#L161 > > http://trac.edgewall.org/browser/trunk/trac/util/__init__.py?rev=10841&marks=621#L619 > > > ~ does a session timeout and is the period configurable? > > - Anonymous session cookies expire after 90 days of inactivity, > and this timeout is not configurable: > > http://trac.edgewall.org/browser/trunk/trac/web/session.py?rev=10826&marks=200,204#L200 > > http://trac.edgewall.org/browser/trunk/trac/web/session.py?rev=10826&marks=35#L33 > > - Authentication cookies expire when closing the browser by default, > but this can be configured with the [trac] auth_cookie_lifetime > option in trac.ini: > > http://trac.edgewall.org/browser/trunk/trac/web/auth.py?rev=10815&marks=184-185#L179 > > http://trac.edgewall.org/browser/trunk/trac/web/auth.py?rev=10815&marks=69#L68 > > > ~ are the `secure` and `http_only` flags set for cookies? > > - The "secure" flag is not set by default, but this can be configured > with the [trac] secure_cookies option in trac.ini: > > > http://trac.edgewall.org/browser/trunk/trac/web/auth.py?rev=10815&marks=182-183#L179 > > http://trac.edgewall.org/browser/trunk/trac/web/session.py?rev=10826&marks=205-206#L200 > > http://trac.edgewall.org/browser//trunk/trac/env.py?rev=10812&marks=169-175#L168 > > - We don't currently support the "http_only" flag. I thought > we had an enhancement request for that, but I can't find it, > so it looks like we don't. We would certainly accept a good > patch that adds this functionality (it's fairly simple to > do, and doesn't have to be configurable AFAICT). > > -- Remy > -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
