Good point regarding the replicator session refresh, Joan. I think it should continue to work, but there would be a slight performance loss. Each replication would make a new request to _session every 10 minutes or so (by default), when now it gets a new session cookie for "free" so to speak.
To review, currently a cookie refresh in the replicator happens in these cases: 1) Auth / Authorization requests fail. Then we try to get a new session cookie from _session. With auto-refresh this is not that used I imagine. It does involve making an extra request (make original request, fail, refresh cookie, retry request). And also this doesn't work if endpoints allow anonymous writes. 2) max-age in the cookie value is about to expire (over 90% expired). We also enabled allow_persistent_cookie=true by default, as you mentioned, so most recent endpoints should send max-age now. Without auto-refresh this would hopefully become the best method to do refresh. 3) If max-age cannot be parsed we still get a new cookie at close to default expiry interval for CouchDB (550 seconds) This accounts for endpoints which haven't upgraded to the latest release, but just happened to have session expiry defaults (600 seconds). 4) Response headers return a new session cookie. In that case we'd remember the cookie as the new session cookie. But if we decide not to do that anymore. In that case the other 3 conditions would hopefully be enough to perform the refresh. Cheers, -Nick On Thu, Dec 20, 2018 at 11:21 AM Joan Touzet <woh...@apache.org> wrote: > Looks like the original code that introduced the option was done as part > of this work: > > https://issues.apache.org/jira/browse/COUCHDB-1304 > > One serious concern on disabling this by default is what might happen > to the replicator performance improvement introduced in 2.2.0: > > https://github.com/apache/couchdb/pull/1619 > > Nick, can you answer what happens to the replicator if we > disable allow_persistent_cookies by default? Do we lose the expires > header you need to successfully refresh, or did we fix that in 2.3.0? > My memory is poor. > > -Joan > > ----- Original Message ----- > From: "Jonathan Hall" <fli...@flimzy.com> > To: dev@couchdb.apache.org > Sent: Thursday, December 20, 2018 11:01:10 AM > Subject: Re: [PROPOSAL] Disable auto-renew of _session cookies > > The behavior you request is actually the default behavior. I ran into this > when I was expressly seeking the behavior you're trying to disable, and > made a feature request, only to learn that it is indeed configurable. See > this issue: https://github.com/apache/couchdb/issues/1598 > > In short, I believe that you simply need to disable the > allow_persistent_cookies option in your configuration. > > > > On December 20, 2018 1:42:18 PM GMT+01:00, Mike Rhodes <couc...@dx13.co.uk> > wrote: > >Hi, > > > >Currently, _session cookies auto-renew. From what I can read of the > >code, I think this is via [1] calling into [2], which will put a > >Set-Cookie header on the response. > > > >What this means, I think, is that if I can retrieve your session cookie > >in some way, then ensure I keep making calls within the expiration time > >of the original cookie and it's auto-renewed descendants, I have an > >ever-lasting way to access your CouchDB data. > > > >(Nearly everlasting, anyway, as the password update process will change > >the password hashing salt which forms a part of what the cookie's > >signature signs over. Nonetheless, this requires the user notice the > >compromise and update their password to invalidate existing sessions. > >For many attacks, it easy to get valuable data without tripping alarm > >bells.) > > > >As far as I can see, this isn't a configurable option. What are the > >thoughts of the list for removing the auto-renew function given its > >security risks? From what I understand, this has been CouchDB's > >behaviour ~forever, so I can see perhaps it's a risky change. > > > >[1]: > > > https://github.com/apache/couchdb/blob/be6de6f32d0be7147dce8ebe39dd54c07d7be31f/src/chttpd/src/chttpd.erl#L1140 > >[2]: > > > https://github.com/apache/couchdb/blob/1347806d2feebce53325070b475f9e211d240ddf/src/couch/src/couch_httpd_auth.erl#L246 > > > >-- > >Mike. > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. >
