You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/09/30 12:09:03 UTC
[GitHub] [couchdb] grapevineai opened a new issue #3181: Configuration same_site set to none makes CouchDB unusable
grapevineai opened a new issue #3181:
URL: https://github.com/apache/couchdb/issues/3181
[NOTE]: # ( ^^ Provide a general summary of the issue in the title above. ^^ )
## Description
If the configuration `[couch_httpd_auth] same_site` is set to "none", the cookie is not saved in the browser. Sessions become unusable.
[NOTE]: # ( Describe the problem you're encountering. )
[TIP]: # ( Do NOT give us access or passwords to your actual CouchDB! )
## Steps to Reproduce
- Set `[couch_httpd_auth] same_site=none`
- Try to login to Fauxton through the `/_utils` endpoint
[NOTE]: # ( Include commands to reproduce, if possible. curl is preferred. )
## Expected Behaviour
The cookie should be kept in the browser and the sessions should work
[NOTE]: # ( Tell us what you expected to happen. )
## Your Environment
[TIP]: # ( Include as many relevant details about your environment as possible. )
[TIP]: # ( You can paste the output of curl http://YOUR-COUCHDB:5984/ here. )
* CouchDB version used: 3.1.1
* Browser name and version: Chrome 85.0.4183.121
* Operating system and version: OSX
## Additional Context
[TIP]: # ( Add any other context about the problem here. )
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] grapevineai commented on issue #3181: Configuration same_site set to none makes CouchDB unusable
Posted by GitBox <gi...@apache.org>.
grapevineai commented on issue #3181:
URL: https://github.com/apache/couchdb/issues/3181#issuecomment-702332032
I have tried to add `proxy_cookie_path / "/; HTTPOnly; Secure";` to nginx but it doesn't solve the issue.
Can someone explain to me why "none" is not working out of the box while "strict" and "lax" do? Is it a bug or a is it something we should add to the documentation?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] grapevineai closed issue #3181: Configuration same_site set to none makes CouchDB unusable
Posted by GitBox <gi...@apache.org>.
grapevineai closed issue #3181:
URL: https://github.com/apache/couchdb/issues/3181
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] SinanGabel commented on issue #3181: Configuration same_site set to none makes CouchDB unusable
Posted by GitBox <gi...@apache.org>.
SinanGabel commented on issue #3181:
URL: https://github.com/apache/couchdb/issues/3181#issuecomment-702378464
Set-Cookie: flavor=choco; SameSite=None
Is probably what you have now (exchange [flavor=choco] to what you are
setting).
The single line in the nginx configuration does adds the following in bold
to the line (if you have set up things correctly):
Set-Cookie: flavor=choco; SameSite=None; *HTTPOnly; **Secure*
Here's what my browser is showing in the Network part.
[image: image.png]
Here's one reference:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
On Thu, 1 Oct 2020 at 20:54, grapevineai <no...@github.com> wrote:
> I have tried to add proxy_cookie_path / "/; HTTPOnly; Secure"; to nginx
> but it doesn't solve the issue.
>
> Can someone explain to me why "none" is not working out of the box while
> "strict" and "lax" do? Is it a bug or a is it something we should add to
> the documentation?
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <https://github.com/apache/couchdb/issues/3181#issuecomment-702332032>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ABKTZUUWHXUIR6HNYO5P3A3SITF5FANCNFSM4R7AFYXQ>
> .
>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] grapevineai commented on issue #3181: Configuration same_site set to none makes CouchDB unusable
Posted by GitBox <gi...@apache.org>.
grapevineai commented on issue #3181:
URL: https://github.com/apache/couchdb/issues/3181#issuecomment-701438276
Thanks, I will try that... but shouldn't it work out of the box? If it shouldn't then we should add this information to the doc.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] grapevineai commented on issue #3181: Configuration same_site set to none makes CouchDB unusable
Posted by GitBox <gi...@apache.org>.
grapevineai commented on issue #3181:
URL: https://github.com/apache/couchdb/issues/3181#issuecomment-704121184
@willholley Thank you very much for the explanation! This is definitely something that should be added to the doc at some point. In the meantime, this issue can be used as a reference!
@SinanGabel Thank you for your support. I was finally able to solve the issue by adding: `proxy_cookie_path / "/; Secure";` to the nginx config.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] SinanGabel commented on issue #3181: Configuration same_site set to none makes CouchDB unusable
Posted by GitBox <gi...@apache.org>.
SinanGabel commented on issue #3181:
URL: https://github.com/apache/couchdb/issues/3181#issuecomment-701391468
It must be "Secure" too.
This you can set via a proxy web server (nginx or another).
For nginx you can use the below where the first line solves the
samsite=none problem:
proxy_cookie_path / "/; HTTPOnly; Secure";
# couchdb
location ~ ^/(.*)/_changes {
proxy_pass http://couchdb_node;
proxy_redirect off;
# Transfer-Encoding: chunked
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
location / {
proxy_pass http://couchdb_node;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
On Wed, 30 Sep 2020 at 14:09, grapevineai <no...@github.com> wrote:
> Description
>
> If the configuration [couch_httpd_auth] same_site is set to "none", the
> cookie is not saved in the browser. Sessions become unusable.
> Steps to Reproduce
>
> - Set [couch_httpd_auth] same_site=none
> - Try to login to Fauxton through the /_utils endpoint
>
> Expected Behaviour
>
> The cookie should be kept in the browser and the sessions should work
> Your Environment
>
> - CouchDB version used: 3.1.1
> - Browser name and version: Chrome 85.0.4183.121
> - Operating system and version: OSX
>
> Additional Context
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <https://github.com/apache/couchdb/issues/3181>, or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ABKTZUU2VR6GTYIOSR23BHTSIMNWRANCNFSM4R7AFYXQ>
> .
>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] willholley commented on issue #3181: Configuration same_site set to none makes CouchDB unusable
Posted by GitBox <gi...@apache.org>.
willholley commented on issue #3181:
URL: https://github.com/apache/couchdb/issues/3181#issuecomment-702650658
@grapevineai the core problem for you seems to be that using `SameSite=none` requires you to access CouchDB using TLS (HTTPS). CouchDB will set the `Secure` cookie directive automatically if you have configured it to terminate TLS. If you are using a reverse proxy such as nginx to terminate TLS, you need to configure it to set the `Secure` cookie directive on the CouchDB session cookie. If you are not using TLS to connect to CouchDB, then you won't be able to use `SameSite=none`.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] grapevineai commented on issue #3181: Configuration same_site set to none makes CouchDB unusable
Posted by GitBox <gi...@apache.org>.
grapevineai commented on issue #3181:
URL: https://github.com/apache/couchdb/issues/3181#issuecomment-702615445
@SinanGabel I'm confused... IMHO, CouchDB should automatically handle this! Putting that aside, I still can't make it work. From what you wrote, I understand that the cookie is missing the `HTTPOnly` and `Secure` tags which can be added by nginx.
In the case of CouchDB sessions, `flavor=choco` should be replaced by `AuthSession=<KEY>` which I can't do manually. In addition, adding the `proxy_cookie_path` setting to nginx didn't solve the issue. The `_utils` endpoint is still unusable!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] SinanGabel commented on issue #3181: Configuration same_site set to none makes CouchDB unusable
Posted by GitBox <gi...@apache.org>.
SinanGabel commented on issue #3181:
URL: https://github.com/apache/couchdb/issues/3181#issuecomment-702645509
You can try with this local.ini configuration for example, just adjust to
your needs.
[couchdb]
single_node=true
max_dbs_open = 128
; add a uuid (unique identifier) for this server instance
uuid = 23a19be4-0497-11eb-bdce-3be6f384d43c
; is removed in couchdb 4.x. Check _users Permissions (possibly have to update)
; note that users can still update their password (_admin role not necessary)
users_db_security_editable = false
[chttpd]
require_valid_user=true
bind_address=0.0.0.0
port=5984
socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}]
server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
[httpd]
server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
qsocket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}]
enable_cors = true
changes_timeout = 180000
x_forwarded_host = X-Forwarded-Host
x_forwarded_proto = X-Forwarded-Proto
x_forwarded_ssl = X-Forwarded-Ssl
[log]
level=warning
writer = stderr
[couch_httpd_auth]
; unique secret for this server instance. The secret token is used for
Proxy Authentication and for Cookie Authentication.
secret = 3e33c590-0497-11eb-8516-8f112748f76a
allow_persistent_cookies = true
; 1 day = 24 * 60 * 60 = 86400 seconds
timeout = 86400
auth_cache_size = 512
require_valid_user=true
same_site = None
[cors]
; See also https://github.com/pouchdb/add-cors-to-couchdb
; Note: the Fauxton cors settings are slightly different
origins = *
credentials = true
headers = accept, authorization, content-type, origin, cookie,
referer, x-csrf-token
methods = GET, OPTIONS, HEAD, PUT, POST, DELETE, TRACE
max_age = 86400
[replicator]
; adjust this to your situation
; 3 minutes = 3 * 60 * 1000 = 180000
connection_timeout = 180000
use_checkpoints = true
worker_batch_size = 512
[admins]
admin = admin_password
On Fri, 2 Oct 2020 at 11:07, grapevineai <no...@github.com> wrote:
> @SinanGabel <https://github.com/SinanGabel> I'm confused... IMHO, CouchDB
> should automatically handle this! Putting that aside, I still can't make it
> work. From what you wrote, I understand that the cookie is missing the
> HTTPOnly and Secure tags which can be added by nginx.
>
> In the case of CouchDB sessions, flavor=choco should be replaced by
> AuthSession=<KEY> which I can't do manually. In addition, adding the
> proxy_cookie_path setting to nginx didn't solve the issue. The _utils
> endpoint is still unusable!
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <https://github.com/apache/couchdb/issues/3181#issuecomment-702615445>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ABKTZUVEASSZSY4OFTGTQLLSIWJ57ANCNFSM4R7AFYXQ>
> .
>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] grapevineai edited a comment on issue #3181: Configuration same_site set to none makes CouchDB unusable
Posted by GitBox <gi...@apache.org>.
grapevineai edited a comment on issue #3181:
URL: https://github.com/apache/couchdb/issues/3181#issuecomment-702615445
@SinanGabel I'm confused... IMHO, CouchDB should automatically handle this! Putting that aside, I still can't make it work. From what you wrote, I understand that the cookie is missing the `HTTPOnly` and `Secure` tags which can be added by nginx.
In the case of CouchDB sessions, `flavor=choco` should be replaced by `AuthSession=<KEY>` which I can't do manually. In addition, adding the `proxy_cookie_path` setting to nginx didn't solve the issue. The `_utils` endpoint is still unusable and the sessions don't work!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org