couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "max ogden (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (COUCHDB-1304) set Expires header on session cookies to make them persistent
Date Sat, 29 Oct 2011 19:29:32 GMT

    [ https://issues.apache.org/jira/browse/COUCHDB-1304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13139406#comment-13139406
] 

max ogden commented on COUCHDB-1304:
------------------------------------

I took a stab at writing a test for this but JavaScript is explicitly blocked from accessing
HttpOnly cookies so there's no way in client side JS to verify that a cookie has a Max-Age
or Expires attribute on it when it comes back from the POST to /_session. Any ideas on how
else to test this?

Also, we can probably just use the couch_httpd_auth timeout value verbatim as the value in
the Max-Age property on the AuthSession cookie as described in http://tools.ietf.org/html/rfc6265
section 4.1.2.2.
                
> set Expires header on session cookies to make them persistent
> -------------------------------------------------------------
>
>                 Key: COUCHDB-1304
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1304
>             Project: CouchDB
>          Issue Type: Improvement
>          Components: HTTP Interface
>    Affects Versions: 1.1
>            Reporter: max ogden
>            Priority: Minor
>              Labels: authentication, cookie
>             Fix For: 1.2
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> currently couch's cookie based authentication only sets session cookies as opposed to
persistent cookies. the difference between these two is the Expires header. if it is not present
most web browsers will delete your cookie when you quit your browser, whereas if it is set
then your browser keeps the cookie around until the time specified by the Expires header.
> This sucks for UX because users quit and re-launch their browser they'll have to log
in again. 
> I am proposing that we set the Expires header in cookies to match the time in the couch_httpd_auth
timeout
> p.s. this is similar to the issue I opened https://issues.apache.org/jira/browse/COUCHDB-1095
but at that time I didn't realize that what I really wanted was the Expires header

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message