OK, I see. I was confused by the DELETE /_session endpoint. BTW, what I'm trying to do is just the possibility to have an user logout another session of his own.
I clearly understand that with something else sitting in front of couch and hiding couch's session I can do the same, but then I don't exactly grasp the coolness of the /_session endpoint, one could just always inject the Basic Auth and have the same result (without the hassle of the expiration). I guess I'm misunderstanding something, please shed a light if you can ;-) --- Andrea Brancatelli On 2020-01-21 16:44, Jonathan Hall wrote: > No, there's not. I've previously answered this same question on > StackOverflow: https://stackoverflow.com/a/43354080/13860 Answer pasted > below: > > Is it possible to view a list of active user sessions on a couchdb > server? > > Short answer: No. > > Long answer: There's no such thing, really, as user sessions in CouchDB. > > CouchDB's "user session" cookies are just an HMAC of the user's password > salt, the server secret, and the time the cookie was created (so it can tell > when it expires). > > This means that an "active session" is any cookie that contains a valid HMAC > composed from a valid user salt, the valid user cookie, and any timestamp > that is less than N minutes in the past (where N is the expiration time). > > These sessions don't even have to be created on the CouchDB server, so even > logging auth requests is not sufficient. It's a common practice in some > situations to create these cookies in an app external to CouchDB. > > As a followup question: > > Why are you interested in listing active sessions? Maybe there's an > alternative approach to accomplish whatever you're aiming for. > > On 1/21/20 3:54 PM, Andrea Brancatelli wrote: > >> Hello everybody, >> >> speaking of the _session endpoint, is there any way to have a list of >> active sessions by _user? >> >> I don't seem to find one in the docs but maybe it's me... :-)
