The `DELETE /_session` endpoint doesn't do anything on the server at
all. It simply instructs the client to delete the cookie (which the
client can ignore, if it chooses). So that endpoint really is only there
for semantics.
If you want to put a proxy in front of CouchDB, you'd have to also
invent a new session management method, if you want the ability to
delete sessions. I'm sure this could be done, but it wouldn't be trivial.
The only way to invalidate an existing session in CouchDB is to change
the user's password (or the server secret, but that would invalidate
sessions for _all_ users).
Jonathan
On 1/21/20 6:49 PM, Andrea Brancatelli wrote:
OK, I see. I was confused by the DELETE /_session endpoint.
BTW, what I'm trying to do is just the possibility to have an user
logout another session of his own.
I clearly understand that with something else sitting in front of
couch and hiding couch's session I can do the same, but then I don't
exactly grasp the coolness of the /_session endpoint, one could just
always inject the Basic Auth and have the same result (without the
hassle of the expiration).
I guess I'm misunderstanding something, please shed a light if you can ;-)
---
*Andrea Brancatelli *
On 2020-01-21 16:44, Jonathan Hall wrote:
No, there's not. I've previously answered this same question on
StackOverflow: https://stackoverflow.com/a/43354080/13860 Answer
pasted below:
Is it possible to view a list of active user sessions on a couchdb
server?
Short answer: No.
Long answer: There's no such thing, really, as user sessions in CouchDB.
CouchDB's "user session" cookies are just an HMAC of the user's
password salt, the server secret, and the time the cookie was created
(so it can tell when it expires).
This means that an "active session" is any cookie that contains a
valid HMAC composed from a valid user salt, the valid user cookie,
and any timestamp that is less than N minutes in the past (where N is
the expiration time).
These sessions don't even have to be created on the CouchDB server,
so even logging auth requests is not sufficient. It's a common
practice in some situations to create these cookies in an app
external to CouchDB.
As a followup question:
Why are you interested in listing active sessions? Maybe there's an
alternative approach to accomplish whatever you're aiming for.
On 1/21/20 3:54 PM, Andrea Brancatelli wrote:
Hello everybody,
speaking of the _session endpoint, is there any way to have a list of
active sessions by _user?
I don't seem to find one in the docs but maybe it's me... :-)
