POST wrong password of user to {bucket}/_session return 200 by 4985 (Couchbase Sync Gateway 1.0.1)?

I am using Couchbase Sync Gateway 1.0.1, and I send a POST request to my local sync Gateway with wrong password of user, but get 200 resbonse like follows:
curl -i -X POST -H “Content-Type:application/json” -d ‘{“name”:“testuser”,“password”:“111111”}’
HTTP/1.1 200 OK
Content-Length: 140
Content-Type: application/json
Server: Couchbase Sync Gateway/1.00
Date: Mon, 20 Apr 2015 06:46:30 GMT

I think I should get 403 error or the same error,not 200 with session_id, because I can not judge if users password is correct.
btw, I can get 404 error if user is not exists, or get 200 with session_id if user and password is correct.
I can get 200 with session_id when I only provide name arguments like this:

curl -i -X POST -H “Content-Type:application/json” -d ‘{“name”:“testuser”}’
HTTP/1.1 200 OK
content-length: 140
content-type: application/json
server: Couchbase Sync Gateway/1.00
date: Mon, 20 Apr 2015 06:56:23 GMT
connection: close


I have got the answer:!searchin/mobile-couchbase/Sync$20gateway$20_session/mobile-couchbase/oFXUG6rSMLA/ClkaiHC7_PEJ

but I want set specified expires time when auth user. How can I do?

hey @march44 can you help out here please and advise ?



Custom session expiration time os only available when using custom auth and creating a session via the ADMIN REST API.

You can see examples of the REST calls on this ticket:


I’m resurrecting an old post because my query is basically the same and I don’t feel it’s been fully answered. I can submit this as a new thread if you prefer.
have also read the google groups thread linked by atom_yang. I don’t know if I’m better posting this here or in the google thread. I think it’s bad form to post the same question in both, so I will post it here for now. However, please let me know if it would be better to post there. If I don’t get a response to this today, I’ll post on that group tomorrow.

I am trying to write an http handler using sync gateway to perform a user login. Ideally I would like to set the ttl time.

If I start a session using the admin port (4985), I can do this. However, it ignores the password, so any password works.
If I start a session using the public port (4984), it uses the password and fails if this is wrong. However, it’s not possible to set a ttl time.

What is the best method to start a session with both password authentication and a custom ttl time?

The only solution that I can think of is to create a session with port 4984. If that works, log out of that session and create a new session with 4985. Is this the recommended method?


I think it works, but not the best.
In my case, I can accept using the public port(default is 4984) that can not set ttl time.because using static password is not security enough.
I think you should custom auth service to handle the custom auth as andy said above,and then using admin port(default is 4095) to set ttl time and create a session.

Thanks atom_yang.
So just to reiterate and get it straight in my mind, the custom auth is NOT done by requesting a session from couch sync gateway. Once the custom auth service has verified the password, you then use the admin port to create a session without password (as it’s ignored). Is this correct?

Is there any info on the custom auth service? I don’t really udnerstand what this involves.


Okay, just read the custom authentication section on here…

Trying to understand the best method of authentication now (OAuth?) but I get the idea.