Re: Interpretation of session timeout

Thu, 10 Jan 2013 11:51:14 -0800 

Hello Jens,

The AuthSession cookie appears to contain the access time in the encoded 
session data:

> [User, TimeStr, HashStr] = try
>             AuthSession = couch_util:decodeBase64Url(Cookie),
>             [_A, _B, _Cs] = re:split(?b2l(AuthSession), ":",
>                                      [{return, list}, {parts, 3}])

However, CouchDB appears to be re-setting the cookie with a new timestamp after 
every request (as long as it is not within 10% of expiration):

> cookie_auth_header(#httpd{user_ctx=#user_ctx{name=User}, auth={Secret, 
> true}}=Req, Headers) ->
>     % Note: we only set the AuthSession cookie if:
>     %  * a valid AuthSession cookie has been received
>     %  * we are outside a 10% timeout window
>     %  * and if an AuthSession cookie hasn't already been set e.g. by a login
>     %    or logout handler.
>     % The login and logout handlers need to set the AuthSession cookie
>     % themselves.
>     CookieHeader = couch_util:get_value("Set-Cookie", Headers, ""),
>     Cookies = mochiweb_cookies:parse_cookie(CookieHeader),
>     AuthSession = couch_util:get_value("AuthSession", Cookies),
>     if AuthSession == undefined ->
>         TimeStamp = make_cookie_time(),
>         [cookie_auth_cookie(Req, ?b2l(User), Secret, TimeStamp)];
>     true ->
>         []
> end;


So, it looks like you're in luck!

~Christopher Bonhage

On Jan 10, 2013, at 11:31 AM, Jens Alfke <[email protected]> wrote:

> The default value of the couch_httpd_auth/timeout config param is 600, 
> meaning that cookie-based sessions expire in ten minutes.
> 
> Does this mean ten minutes after the session was first created, or after ten 
> minutes of no activity? (That is, does each subsequent request extend the 
> session expiration time?)
> 
> I ask because, in the former interpretation, ten minutes seems like a very 
> frustratingly short expiration time — I would not keep using a website that 
> forced me to log in again every ten minutes!
> 
> Obviously the admin can increase this value, but as I’m writing general 
> purpose libraries that interact with arbitrary CouchDB servers [i.e. TouchDB 
> and CouchCocoa] I have to work with whatever’s set in the remote database. 
> And ten minutes is short enough that my session might expire in the middle of 
> a replication, for example, which would complicate my auth logic.
> 
> —Jens

Reply via email to