Cookie based authentication doesn't expire properly


#1

Hi there!

I am using cookie based authentication. I have a server which creates a session on the Sync Gateway, then passes the cookie details to a client. The client creates a Replicator which connects to the Sync Gateway. I use the setCookie method using the cookie details and a timeout of 10 seconds. The problem is that the Sync Gateway is still accepting changes from the Replicator after the 10 seconds have expired. I think that I may not be understanding the process correctly. Is the following basically correct?

  • The Replicator (via setCookie) uses the cookie in a header to perform authentication with the Sync Gateway

  • When the cookie expires, the authentication should fail and the Sync Gateway should return a 403

I read in an earlier forum answer that you should be able to see the cookie details for a session (including timeout) by doing a GET on the session, but I only see that the session uses cookie authentication and no details about the cookie itself! Should I be doing something different to get this information?

Also in the Sync Gateway I see the following log:

Changes+: Changes POST request.  URL: /data/_changes?feed=normal&heartbeat=30000&style=all_docs&active_only=true&filter=sync_gateway%2Fbychannel, feed: normal, options: {Since:0 Limit:0 Conflicts:true IncludeDocs:false Wait:false Continuous:false Terminator:<nil> HeartbeatMs:30000 TimeoutMs:300000 ActiveOnly:true}, filter: sync_gateway/bychannel, bychannel: [rwdhupz5Masow08Yn6fyRnrUAI], docIds: []   (to ArtVandelay.Z4kAcFoY8MoEdqiMtK46Oloz)

This log seems to show some information about the replicator and I see a timeout of 300000 ms. Should this value be the timeout value in the cookie? If so, then my issue is that value that I’m setting isn’t being honoured and I can investigate why that is the case. If not, can you tell me what this timeout is used for?

Finally, I wanted to mention that I do not have guest access to the Sync Gateway enabled.

Edit: I’m using Couchbase Lite 1.4 and Sync Gateway 1.5.0.

Thanks so much,
Justin


#2

IIRC, Couchbase Lite only checks cookie expiration when it reads the cookie out of the database at the start of a replication. Once the replication starts it will keep using the same cookie. HTTP cookie expiration is just to allow the client to garbage-collect old cookies; it is not a way to enforce session lifetimes.

The expiration of a session is really handled on the server (SG), which defaults to 24 hours. Cookie expiration dates are never sent to an HTTP server,; only the cookie name/value pair. So the server has no idea you intended to make the cookie expire after 10 seconds and will keep honoring it until the session expires on its end.


#3

Ok this makes sense to me now, thanks for your help!