You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@couchdb.apache.org by Jens Alfke <je...@couchbase.com> on 2013/01/10 20:31:39 UTC

Interpretation of session timeout

The default value of the couch_httpd_auth/timeout config param is 600, meaning that cookie-based sessions expire in ten minutes.

Does this mean ten minutes after the session was first created, or after ten minutes of no activity? (That is, does each subsequent request extend the session expiration time?)

I ask because, in the former interpretation, ten minutes seems like a very frustratingly short expiration time — I would not keep using a website that forced me to log in again every ten minutes!

Obviously the admin can increase this value, but as I’m writing general purpose libraries that interact with arbitrary CouchDB servers [i.e. TouchDB and CouchCocoa] I have to work with whatever’s set in the remote database. And ten minutes is short enough that my session might expire in the middle of a replication, for example, which would complicate my auth logic.

—Jens

Re: Interpretation of session timeout

Posted by Christopher Bonhage <qu...@me.com>.

Hello Jens,

The AuthSession cookie appears to contain the access time in the encoded session data:

> [User, TimeStr, HashStr] = try
>             AuthSession = couch_util:decodeBase64Url(Cookie),
>             [_A, _B, _Cs] = re:split(?b2l(AuthSession), ":",
>                                      [{return, list}, {parts, 3}])

However, CouchDB appears to be re-setting the cookie with a new timestamp after every request (as long as it is not within 10% of expiration):

> cookie_auth_header(#httpd{user_ctx=#user_ctx{name=User}, auth={Secret, true}}=Req, Headers) ->
>     % Note: we only set the AuthSession cookie if:
>     %  * a valid AuthSession cookie has been received
>     %  * we are outside a 10% timeout window
>     %  * and if an AuthSession cookie hasn't already been set e.g. by a login
>     %    or logout handler.
>     % The login and logout handlers need to set the AuthSession cookie
>     % themselves.
>     CookieHeader = couch_util:get_value("Set-Cookie", Headers, ""),
>     Cookies = mochiweb_cookies:parse_cookie(CookieHeader),
>     AuthSession = couch_util:get_value("AuthSession", Cookies),
>     if AuthSession == undefined ->
>         TimeStamp = make_cookie_time(),
>         [cookie_auth_cookie(Req, ?b2l(User), Secret, TimeStamp)];
>     true ->
>         []
> end;


So, it looks like you're in luck!

~Christopher Bonhage

On Jan 10, 2013, at 11:31 AM, Jens Alfke <je...@couchbase.com> wrote:

> The default value of the couch_httpd_auth/timeout config param is 600, meaning that cookie-based sessions expire in ten minutes.
> 
> Does this mean ten minutes after the session was first created, or after ten minutes of no activity? (That is, does each subsequent request extend the session expiration time?)
> 
> I ask because, in the former interpretation, ten minutes seems like a very frustratingly short expiration time — I would not keep using a website that forced me to log in again every ten minutes!
> 
> Obviously the admin can increase this value, but as I’m writing general purpose libraries that interact with arbitrary CouchDB servers [i.e. TouchDB and CouchCocoa] I have to work with whatever’s set in the remote database. And ten minutes is short enough that my session might expire in the middle of a replication, for example, which would complicate my auth logic.
> 
> —Jens