incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Bonhage <quee...@me.com>
Subject Re: Interpretation of session timeout
Date Thu, 10 Jan 2013 19:50:44 GMT
Hello Jens,

The AuthSession cookie appears to contain the access time in the encoded session data:

> [User, TimeStr, HashStr] = try
>             AuthSession = couch_util:decodeBase64Url(Cookie),
>             [_A, _B, _Cs] = re:split(?b2l(AuthSession), ":",
>                                      [{return, list}, {parts, 3}])

However, CouchDB appears to be re-setting the cookie with a new timestamp after every request
(as long as it is not within 10% of expiration):

> cookie_auth_header(#httpd{user_ctx=#user_ctx{name=User}, auth={Secret, true}}=Req, Headers)
->
>     % Note: we only set the AuthSession cookie if:
>     %  * a valid AuthSession cookie has been received
>     %  * we are outside a 10% timeout window
>     %  * and if an AuthSession cookie hasn't already been set e.g. by a login
>     %    or logout handler.
>     % The login and logout handlers need to set the AuthSession cookie
>     % themselves.
>     CookieHeader = couch_util:get_value("Set-Cookie", Headers, ""),
>     Cookies = mochiweb_cookies:parse_cookie(CookieHeader),
>     AuthSession = couch_util:get_value("AuthSession", Cookies),
>     if AuthSession == undefined ->
>         TimeStamp = make_cookie_time(),
>         [cookie_auth_cookie(Req, ?b2l(User), Secret, TimeStamp)];
>     true ->
>         []
> end;


So, it looks like you're in luck!

~Christopher Bonhage

On Jan 10, 2013, at 11:31 AM, Jens Alfke <jens@couchbase.com> wrote:

> The default value of the couch_httpd_auth/timeout config param is 600, meaning that cookie-based
sessions expire in ten minutes.
> 
> Does this mean ten minutes after the session was first created, or after ten minutes
of no activity? (That is, does each subsequent request extend the session expiration time?)
> 
> I ask because, in the former interpretation, ten minutes seems like a very frustratingly
short expiration time — I would not keep using a website that forced me to log in again
every ten minutes!
> 
> Obviously the admin can increase this value, but as I’m writing general purpose libraries
that interact with arbitrary CouchDB servers [i.e. TouchDB and CouchCocoa] I have to work
with whatever’s set in the remote database. And ten minutes is short enough that my session
might expire in the middle of a replication, for example, which would complicate my auth logic.
> 
> —Jens


Mime
View raw message