You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/03/12 04:04:03 UTC

[GitHub] [couchdb] ericlowry opened a new issue #2655: DELETE _session ignores [couch_httpd_auth] cookie_domain

ericlowry opened a new issue #2655: DELETE _session ignores [couch_httpd_auth] cookie_domain
URL: https://github.com/apache/couchdb/issues/2655
 
 
   [NOTE]: # ( ^^ Provide a general summary of the issue in the title above. ^^ )
   
   `HTTP DELETE  /_session`  ignores the [couch_httpd_auth] cookie_domain setting and returns a cookie in the server's actual domain. 
   
   ## Description
   
   DELETE /_session appears to ignore the cookie_domain setting in [couch_httpd_auth] and returns an "empty" cookie in the server's actual domain.
   
   [NOTE]: # ( Describe the problem you're encountering. )
   
   I have couchdb running on "db.myapp.local" and I setting a custom cookie_domain = "myapp.local" i.e. the root domain for all my services.  This allows me to share the AuthSession cookie with another service on "api.myapp.local".  This works great when generating user sessions with POST /_session and later GET /_session.  The problem comes when I try to log out a user via DELETE /session - it clears the wrong cookie, it sends an empty cookie in the domain "db.myapp.local" instead of the expected domain "myapp.local" - because it doesn't clear the cookie it issued - you end up with 2 AuthSession cookies...
   
   
   [TIP]:  # ( Do NOT give us access or passwords to your actual CouchDB! )
   
   ## Steps to Reproduce
   
   configure couchdb to listen to "db.myapp.local"
   
   add the following in your .ini file
   ```
   [couch_httpd_auth]
   same_site = strict
   cookie_domain = myapp.local
   ```
   
   create a couch user:  myuser / mypassword
   
   in postman, get a session for your user
   POST /_session BODY {"name":"myuser", "password":"mypassword"}
   Note: You should get a single AuthSession cookie back, in domain "myapp.local"
   
   in postman, delete the session you just created
   DELETE /_session
   Note: You now have 2 AuthSession cookies, one in domain "myapp.local" (unchanged) and an empty one in "db.myapp.local". 
   
   [NOTE]: # ( Include commands to reproduce, if possible. curl is preferred. )
   
   ## Expected Behaviour
   
   [NOTE]: # ( Tell us what you expected to happen. )
   
   It should return a single "empty" cookie in the [couch_httpd_auth] cookie_domain.  e.g. with all things equal, DELETE /_session should clear the AuthSession cookie that was returned by POST /_session
   
   ## Your Environment
   
   ```JSON
   {
     "couchdb": "Welcome",
     "version": "3.0.0",
     "git_sha": "03a77db6c",
     "uuid": "f7a271854d4d1e85d498026bf99a4c85",
     "features": [
       "access-ready",
       "partitioned",
       "pluggable-storage-engines",
       "reshard",
       "scheduler"
     ],
     "vendor": {
       "name": "The Apache Software Foundation"
     }
   }
   ```
   [TIP]:  # ( Include as many relevant details about your environment as possible. )
   [TIP]:  # ( You can paste the output of curl http://YOUR-COUCHDB:5984/ here. )
   
   * CouchDB version used: 3.0.0
   * Operating system and version: Linux - Centos 8, Docker, official couchdb container
   
   ## Additional Context
   
   [TIP]:  # ( Add any other context about the problem here. )
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [couchdb] rnewson closed issue #2655: DELETE _session ignores [couch_httpd_auth] cookie_domain

Posted by GitBox <gi...@apache.org>.

rnewson closed issue #2655: DELETE _session ignores [couch_httpd_auth] cookie_domain
URL: https://github.com/apache/couchdb/issues/2655
 
 
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [couchdb] ericlowry commented on issue #2655: DELETE _session ignores [couch_httpd_auth] cookie_domain

Posted by GitBox <gi...@apache.org>.

ericlowry commented on issue #2655: DELETE _session ignores [couch_httpd_auth] cookie_domain
URL: https://github.com/apache/couchdb/issues/2655#issuecomment-598256035
 
 
   Thanks! great stuff!

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services