couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Newson (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (COUCHDB-2042) Session not cleared after DELETE /_session (cookie auth)
Date Wed, 29 Jan 2014 17:12:09 GMT

     [ https://issues.apache.org/jira/browse/COUCHDB-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Newson resolved COUCHDB-2042.
------------------------------------

    Resolution: Invalid

The DELETE method returns a header that instructs the user agent to discard the cookie they've
stored. In your examples, you have not done so (curl supports options to read and write a
cookie jar that you are not using).

Cookies have an embedded timestamp, signed by the server, after which they are not considered
valid. CouchDB does *not* have any knowledge of outstanding sessions and, thus, cannot delete
sessions.

If a browser is not clearing the cookie on sign out, that's a bug. This demonstration with
curl is not demonstrating the bug you think it is.


> Session not cleared after DELETE /_session (cookie auth)
> --------------------------------------------------------
>
>                 Key: COUCHDB-2042
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2042
>             Project: CouchDB
>          Issue Type: Bug
>          Components: HTTP Interface
>    Affects Versions: 1.4.0, 1.5.0
>            Reporter: Johannes J. Schmidt
>              Labels: security
>
> The session remains valid after deletion.
> Steps to reproduce:
> h3. Login
> {code}
> o@think:~$ curl -i -XPOST localhost:5984/_session -d'{"name":"jo","password":"secure"}'
-H'Content-Type:application/json'
> HTTP/1.1 200 OK
> Set-Cookie: AuthSession=am86NTJFOTE1NzM6s-jpL-0bFHe7K73tcJEYPymaXIU; Version=1; Path=/;
HttpOnly
> Server: CouchDB/1.4.0 (Erlang OTP/R16B01)
> Date: Wed, 29 Jan 2014 14:51:31 GMT
> Content-Type: text/plain; charset=utf-8
> Content-Length: 43
> Cache-Control: must-revalidate
> {"ok":true,"name":null,"roles":["_admin"]}
> {code}
> h3. Logout
> {code}
> jo@think:~$ curl -i -XDELETE localhost:5984/_session
> HTTP/1.1 200 OK
> Set-Cookie: AuthSession=; Version=1; Path=/; HttpOnly
> Server: CouchDB/1.4.0 (Erlang OTP/R16B01)
> Date: Wed, 29 Jan 2014 14:51:41 GMT
> Content-Type: text/plain; charset=utf-8
> Content-Length: 12
> Cache-Control: must-revalidate
> {"ok":true}
> {code}
> h3. Check session using previous cookie
> {code}
> jo@think:~$ curl -i localhost:5984/_session -b'AuthSession=am86NTJFOTE1NzM6s-jpL-0bFHe7K73tcJEYPymaXIU;
Version=1; Path=/; HttpOnly'
> HTTP/1.1 200 OK
> Server: CouchDB/1.4.0 (Erlang OTP/R16B01)
> Date: Wed, 29 Jan 2014 14:51:57 GMT
> Content-Type: text/plain; charset=utf-8
> Content-Length: 173
> Cache-Control: must-revalidate
> {"ok":true,"userCtx":{"name":"jo","roles":["_admin"]},"info":{"authentication_db":"_users","authentication_handlers":["oauth","cookie","default"],"authenticated":"cookie"}}
> {code}



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message