Thanks for the pointer to secure_cookies option. The trac installation instructions say:
- Apache <https://httpd.apache.org/> with - mod_wsgi <https://github.com/GrahamDumpleton/mod_wsgi>, see TracModWSGI <https://trac.edgewall.org/wiki/TracModWSGI> and ModWSGI IntegrationWithTrac <https://code.google.com/p/modwsgi/wiki/IntegrationWithTrac>. - mod_python 3.5.0 <https://modpython.org/>, see TracModPython <https://trac.edgewall.org/wiki/TracModPython> So as it stands now it isn't possible to run trac under apache because of this conflict. This is what I'm hoping is going to be remedied in a future release. On Tuesday, January 21, 2025 at 10:07:16 PM UTC-7 Jun Omae wrote: > On Wed, Jan 22, 2025 at 5:54 Mike L <[email protected]> wrote: > >> Per: >> https://www.modwsgi.org/en/develop/user-guides/installation-issues.html >> >> *Using mod_python and mod_wsgi together is no longer supported and recent >> versions of mod_wsgi will cause the startup of Apache to be aborted if both >> are loaded at the same time.* >> >> This is true now of these versions of mod_wsgi in the last two Ubuntu >> releases: >> >> libapache2-mod-wsgi-py3/jammy-updates,jammy-security,now 4.9.0-1ubuntu0.1 >> amd64 >> libapache2-mod-wsgi-py3/noble 5.0.0-1build2 amd64 >> >> I get the same error from both: >> >> The mod_python module can not be used in conjunction with mod_wsgi 4.0+. >> Remove the mod_python module from the Apache configuration. >> AH00016: Configuration Failed >> > > That is not an issue of Trac. Ask on mod_wsgi forum, not here. > > > > >> Is there a workaround for this or fix planned? I need to run subversion >> in the same webserver instance so standalone trac webserver isn't viable >> (also with standalone server our pentests flag http-only cookies as >> vulnerability). >> >> >> >> >> >> >> *The cookies:Set-Cookie: trac_form_token=***replaced***; HttpOnly; >> Path=/Set-Cookie: trac_session=***replaced***; expires=Tue, 01 Apr 2025 >> 07:19:16 GMT; HttpOnly; Path=/are missing the "secure" attribute*I'd >> proxy standalone to get my subversion working, but don't think that fixes >> http-only cookies >> > > Use [trac] secure_cookies option. > > https://trac.edgewall.org/wiki/TracIni#trac-secure_cookies-option > > -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/trac-users/647cfc26-5a8a-4a23-8f8e-e0551f112a17n%40googlegroups.com.
