You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2021/11/22 15:35:12 UTC

[GitHub] [couchdb] tudordumitriu opened a new issue #3840: chttpd_auth with cookie_domain is not returning the domain in cookie in Unauthorized sessions (401) and subsequent authenticated calls will include 2 AuthSession cookies

tudordumitriu opened a new issue #3840:
URL: https://github.com/apache/couchdb/issues/3840


   [NOTE]: # ( ^^ Provide a general summary of the issue in the title above. ^^ )
   cookie_domain is not sent on 401 Unauthorized Set-Cookie header causing 2 AuthSession cookies to be sent
   
   ## Description
   We do have a special scenario because we are using the AuthSession cookie returned by CouchDB in other (third party / friendly) API calls (hence the cookie needs to be shared in subdomains - the API has the secret and can decode the cookie). 
   Now the problem is that these services (include CouchDB) are published under the same domain (different subdomains - different IPs) so the only way to make sure the cookie is correctly shared is using the cookie_domain, which seems to be working fine.
   But, in the case of incorrect credentials, a (correct) 401 Response is returned by CouchDB and there is a Set-Cookie header with AuthSession=; (with no domain) that should reset/delete the cookie. 
   If correct credentials are sent the second time CouchDB returns the correct Set-Cookie with AuthSession and Domain.
   Problem: Subsequent calls are getting 2 AuthSession cookies (first empty and second the correct one) but CouchDB returns 401 (unauthorized)
   
   ## Steps to Reproduce
   1. Send incorrect credentials to /_session => Set-Cookie | AuthSession=; Version=1; Path=/; HttpOnly 
   2. Send correct credentials to /_session => Set-Cookie: AuthSession=XXXX; Version=1; Expires=Wed, 22-Dec-2021 17:41:26 GMT; Max-Age=2600000; Domain=domain.com; Path=/; HttpOnly; SameSite=Lax
   3. Send call to /_users/org.couchdb.user%3AX will have Cookie AuthSession=; AuthSession=XXXX (both)
   
   ## Expected Behaviour
   When sending incorrect credentials the Set-Cookie domain to be included and therefore should be only one cookie
   [NOTE]: # ( Tell us what you expected to happen. )
   
   ## Your Environment
   CouchDB version used: 3.1.1 Docker Image Via K8S Service (Azure AKS)
   Browser name and version: Chrome 96, Edge 96, Firefox 94
   Operating system and version: Windows 10 Pro
   ## Additional Context
   
   [TIP]:  # ( Add any other context about the problem here. )
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org