I'm +0 on this. It doesn't properly fix the problem we introduced when we taught the replicator to acquire session cookies if the user has changed the session timeout parameter.
A better fix is for expired cookies to return a 401 rather than silently fall back to the next auth handler. Since that is a profoundly backward incompatible change it would need to be opt-in. The replicator would do `POST /_session?hard_expire=true` to acquire a session cookie. The server, when presented with an expired cookie returned by that method will throw an unauthorized error, which in turn forces the replicator to acquire a fresh one. This should be done in addition to a periodic refresh ahead of the expiration to avoid stalling replication progress during the refresh. I also note that the session cookie response header tells us exactly when it expires, and this value, not a hardcoded 550 should be used to determine when to pre-emptively refresh. [ Full content available at: https://github.com/apache/couchdb/pull/1619 ] This message was relayed via gitbox.apache.org for [email protected]
