You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/03/12 04:04:03 UTC
[GitHub] [couchdb] ericlowry opened a new issue #2655: DELETE _session
ignores [couch_httpd_auth] cookie_domain
ericlowry opened a new issue #2655: DELETE _session ignores [couch_httpd_auth] cookie_domain
URL: https://github.com/apache/couchdb/issues/2655
[NOTE]: # ( ^^ Provide a general summary of the issue in the title above. ^^ )
`HTTP DELETE /_session` ignores the [couch_httpd_auth] cookie_domain setting and returns a cookie in the server's actual domain.
## Description
DELETE /_session appears to ignore the cookie_domain setting in [couch_httpd_auth] and returns an "empty" cookie in the server's actual domain.
[NOTE]: # ( Describe the problem you're encountering. )
I have couchdb running on "db.myapp.local" and I setting a custom cookie_domain = "myapp.local" i.e. the root domain for all my services. This allows me to share the AuthSession cookie with another service on "api.myapp.local". This works great when generating user sessions with POST /_session and later GET /_session. The problem comes when I try to log out a user via DELETE /session - it clears the wrong cookie, it sends an empty cookie in the domain "db.myapp.local" instead of the expected domain "myapp.local" - because it doesn't clear the cookie it issued - you end up with 2 AuthSession cookies...
[TIP]: # ( Do NOT give us access or passwords to your actual CouchDB! )
## Steps to Reproduce
configure couchdb to listen to "db.myapp.local"
add the following in your .ini file
```
[couch_httpd_auth]
same_site = strict
cookie_domain = myapp.local
```
create a couch user: myuser / mypassword
in postman, get a session for your user
POST /_session BODY {"name":"myuser", "password":"mypassword"}
Note: You should get a single AuthSession cookie back, in domain "myapp.local"
in postman, delete the session you just created
DELETE /_session
Note: You now have 2 AuthSession cookies, one in domain "myapp.local" (unchanged) and an empty one in "db.myapp.local".
[NOTE]: # ( Include commands to reproduce, if possible. curl is preferred. )
## Expected Behaviour
[NOTE]: # ( Tell us what you expected to happen. )
It should return a single "empty" cookie in the [couch_httpd_auth] cookie_domain. e.g. with all things equal, DELETE /_session should clear the AuthSession cookie that was returned by POST /_session
## Your Environment
```JSON
{
"couchdb": "Welcome",
"version": "3.0.0",
"git_sha": "03a77db6c",
"uuid": "f7a271854d4d1e85d498026bf99a4c85",
"features": [
"access-ready",
"partitioned",
"pluggable-storage-engines",
"reshard",
"scheduler"
],
"vendor": {
"name": "The Apache Software Foundation"
}
}
```
[TIP]: # ( Include as many relevant details about your environment as possible. )
[TIP]: # ( You can paste the output of curl http://YOUR-COUCHDB:5984/ here. )
* CouchDB version used: 3.0.0
* Operating system and version: Linux - Centos 8, Docker, official couchdb container
## Additional Context
[TIP]: # ( Add any other context about the problem here. )
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [couchdb] rnewson closed issue #2655: DELETE _session ignores
[couch_httpd_auth] cookie_domain
Posted by GitBox <gi...@apache.org>.
rnewson closed issue #2655: DELETE _session ignores [couch_httpd_auth] cookie_domain
URL: https://github.com/apache/couchdb/issues/2655
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [couchdb] ericlowry commented on issue #2655: DELETE _session
ignores [couch_httpd_auth] cookie_domain
Posted by GitBox <gi...@apache.org>.
ericlowry commented on issue #2655: DELETE _session ignores [couch_httpd_auth] cookie_domain
URL: https://github.com/apache/couchdb/issues/2655#issuecomment-598256035
Thanks! great stuff!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services