You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Andrea Brancatelli <ab...@schema31.it.INVALID> on 2020/01/21 14:54:16 UTC
CouchDB Sessions
Hello everybody,
speaking of the _session endpoint, is there any way to have a list of
active sessions by _user?
I don't seem to find one in the docs but maybe it's me... :-)
--
Andrea Brancatelli
Re: CouchDB Sessions
Posted by Stefan du Fresne <st...@medicmobile.org>.
IIRC they are stateless so I don't think it's possible: the token the user
has to prove their session contains how long it lasts for and the server
doesn't maintain knowledge of them.
On Tue, Jan 21, 2020 at 2:54 PM Andrea Brancatelli
<ab...@schema31.it.invalid> wrote:
> Hello everybody,
>
> speaking of the _session endpoint, is there any way to have a list of
> active sessions by _user?
>
> I don't seem to find one in the docs but maybe it's me... :-)
>
> --
>
> Andrea Brancatelli
Re: CouchDB Sessions
Posted by Jonathan Hall <fl...@flimzy.com>.
The `DELETE /_session` endpoint doesn't do anything on the server at
all. It simply instructs the client to delete the cookie (which the
client can ignore, if it chooses). So that endpoint really is only there
for semantics.
If you want to put a proxy in front of CouchDB, you'd have to also
invent a new session management method, if you want the ability to
delete sessions. I'm sure this could be done, but it wouldn't be trivial.
The only way to invalidate an existing session in CouchDB is to change
the user's password (or the server secret, but that would invalidate
sessions for _all_ users).
Jonathan
On 1/21/20 6:49 PM, Andrea Brancatelli wrote:
>
>
> OK, I see. I was confused by the DELETE /_session endpoint.
>
> BTW, what I'm trying to do is just the possibility to have an user
> logout another session of his own.
>
> I clearly understand that with something else sitting in front of
> couch and hiding couch's session I can do the same, but then I don't
> exactly grasp the coolness of the /_session endpoint, one could just
> always inject the Basic Auth and have the same result (without the
> hassle of the expiration).
>
> I guess I'm misunderstanding something, please shed a light if you can ;-)
>
> ---
> *Andrea Brancatelli *
>
>
> On 2020-01-21 16:44, Jonathan Hall wrote:
>
>> No, there's not. I've previously answered this same question on
>> StackOverflow: https://stackoverflow.com/a/43354080/13860 Answer
>> pasted below:
>>
>>
>> Is it possible to view a list of active user sessions on a couchdb
>> server?
>>
>> Short answer: No.
>>
>> Long answer: There's no such thing, really, as user sessions in CouchDB.
>>
>> CouchDB's "user session" cookies are just an HMAC of the user's
>> password salt, the server secret, and the time the cookie was created
>> (so it can tell when it expires).
>>
>> This means that an "active session" is any cookie that contains a
>> valid HMAC composed from a valid user salt, the valid user cookie,
>> and any timestamp that is less than N minutes in the past (where N is
>> the expiration time).
>>
>> These sessions don't even have to be created on the CouchDB server,
>> so even logging auth requests is not sufficient. It's a common
>> practice in some situations to create these cookies in an app
>> external to CouchDB.
>>
>> As a followup question:
>>
>> Why are you interested in listing active sessions? Maybe there's an
>> alternative approach to accomplish whatever you're aiming for.
>>
>>
>> On 1/21/20 3:54 PM, Andrea Brancatelli wrote:
>>> Hello everybody,
>>>
>>> speaking of the _session endpoint, is there any way to have a list of
>>> active sessions by _user?
>>>
>>> I don't seem to find one in the docs but maybe it's me... :-)
>>
Re: CouchDB Sessions
Posted by Andrea Brancatelli <ab...@schema31.it.INVALID>.
OK, I see. I was confused by the DELETE /_session endpoint.
BTW, what I'm trying to do is just the possibility to have an user
logout another session of his own.
I clearly understand that with something else sitting in front of couch
and hiding couch's session I can do the same, but then I don't exactly
grasp the coolness of the /_session endpoint, one could just always
inject the Basic Auth and have the same result (without the hassle of
the expiration).
I guess I'm misunderstanding something, please shed a light if you can
;-)
---
Andrea Brancatelli
On 2020-01-21 16:44, Jonathan Hall wrote:
> No, there's not. I've previously answered this same question on StackOverflow: https://stackoverflow.com/a/43354080/13860 Answer pasted below:
>
> Is it possible to view a list of active user sessions on a couchdb
> server?
>
> Short answer: No.
>
> Long answer: There's no such thing, really, as user sessions in CouchDB.
>
> CouchDB's "user session" cookies are just an HMAC of the user's password salt, the server secret, and the time the cookie was created (so it can tell when it expires).
>
> This means that an "active session" is any cookie that contains a valid HMAC composed from a valid user salt, the valid user cookie, and any timestamp that is less than N minutes in the past (where N is the expiration time).
>
> These sessions don't even have to be created on the CouchDB server, so even logging auth requests is not sufficient. It's a common practice in some situations to create these cookies in an app external to CouchDB.
>
> As a followup question:
>
> Why are you interested in listing active sessions? Maybe there's an alternative approach to accomplish whatever you're aiming for.
>
> On 1/21/20 3:54 PM, Andrea Brancatelli wrote:
>
>> Hello everybody,
>>
>> speaking of the _session endpoint, is there any way to have a list of
>> active sessions by _user?
>>
>> I don't seem to find one in the docs but maybe it's me... :-)
Re: CouchDB Sessions
Posted by Jonathan Hall <fl...@flimzy.com>.
No, there's not. I've previously answered this same question on
StackOverflow: https://stackoverflow.com/a/43354080/13860 Answer pasted
below:
Is it possible to view a list of active user sessions on a couchdb
server?
Short answer: No.
Long answer: There's no such thing, really, as user sessions in CouchDB.
CouchDB's "user session" cookies are just an HMAC of the user's password
salt, the server secret, and the time the cookie was created (so it can
tell when it expires).
This means that an "active session" is any cookie that contains a valid
HMAC composed from a valid user salt, the valid user cookie, and any
timestamp that is less than N minutes in the past (where N is the
expiration time).
These sessions don't even have to be created on the CouchDB server, so
even logging auth requests is not sufficient. It's a common practice in
some situations to create these cookies in an app external to CouchDB.
As a followup question:
Why are you interested in listing active sessions? Maybe there's an
alternative approach to accomplish whatever you're aiming for.
On 1/21/20 3:54 PM, Andrea Brancatelli wrote:
> Hello everybody,
>
> speaking of the _session endpoint, is there any way to have a list of
> active sessions by _user?
>
> I don't seem to find one in the docs but maybe it's me... :-)
>