Where does trac store the users and passwords in a default installation?

Question

I have a long list of users to delete. I logged in the trac.db but I don't find anything similar to a user/password table. where does trac store the users and passwords in a default installation?

Answer 1

For future reference: probably the easiest way (since Trac 0.12) would be to use

$ trac-admin <path-to-trac-env> session list
$ trac-admin <path-to-trac-env> session delete username1 username2 ...

Answer 2

First and foremost: There is no clearly shaped concept of neither account nor user in Trac until now. What is referred to as 'username' is basically the authenticated session ID, or an arbitrary string mapped to an 'anonymous' session.

Look at the definitive reference on Trac's db schema:

The session table holds all valid session IDs. Note that the key is 'sid' + 'authenticated' flag (0 = unauthenticated, 1 = authenticated). Users in anonymous sessions are allowed to choose another, more memorable session ID via session preferences, if they like.

It depends on the Trac db back-end, if the primary key for session is enforced as foreign key in session_attribute too. This is the other relevant table, that holds additional attributes like first name+surname or email address for a given session. Again 'sid' + 'authenticated' flag combined are the primary key there.

Anonymous sessions get purged after some time of inactivity (watch out for POSIX seconds/microseconds timestamps in 'last_visit' of session table) by Trac automatically, while entries for authenticated sessions stay there forever. You're most likely looking for them (SELECT sid,last_visit FROM session WHERE authenticated=1).

You'll not find a password hash in the Trac db. Only Trac plugins like AccountManager's SessionStore will store their password hash (should never-ever be a password in cleartext) in the db (table 'session_attribute' in that case). Depending on your authentication setup the user credentials are managed independently, i.e. in a file in Apache htpasswd/htdigest format, that is used by the web-server Trac is running on, or tracd for the stand-alone Trac setup.