Session Deletion for HTTPS Configured Sync Gateway

#1

I am running a sync gateway using the HTTPS configuration and am running into issues when trying to delete a session. I am using the session login described here so that we can store the sessionid on the device so users do not need to login each time our application is opened and minimizes the security threat of doing something like that. On user log out I would like the sessionid to be deleted. The normal deletion REST API described here was working on the sync gateway before we switched to HTTPS, but now using the same API with an https call instead of a http one I am getting a response of ‘{“error”:“not_found”,“reason”:“no session”}’. The session creation still works with HTTPS, but not deletion. Do I need to something additional to ensure the session is deleted from the sync gateway?

#2

Hi Brandon_synder,
Functionally it should work same as HTTP. Did any operations before DELETE worked after you create the session?

Also can you make sure session id is provided? If session id is provided, can you make sure it is valid one?

1 Like
#3

Thanks for the response! Yes operations, such as logging in with that session id worked before and after DELETE. A session id is also provided and valid. I am testing it through command line REST API calls to try to keep things as simple as possible. After the CREATE call I get a SyncGatewaySession, Path, and Expires. I can then access information about the session through the Admin REST calls which shows the session is valid, but when I try to delete the session through the Public port it returns that same “no session” error. I can DELETE through the Admin port using the session id though. We need the user to be able to delete their own session though.

The calls I’m using just to make sure I’m doing things correctly:
CREATE
curl -X POST “https://localhost/{db}/_session” -H “accept: application/json” -H “Content-Type: application/json” -d “{ “name”: “{user}”, “password”: “{password}”}” -u {user} -k (since we are using self assigned certificates, we ignore the credential check)
DELETE
curl -X DELETE “https://localhost:4984/{db}/_session” -H “accept: application/json” -H “cookie: {session_id}” -u {user} -k

#4

@Brandon_Snyder, everything looks fine to me. If delete session works for Admin port, it should work for public port too. By the way, I see that you are providing user which is not required. Can you try this curl command same as mentioned in the doc?
curl -X DELETE “http://localhost:4984/{db}/_session” -H “accept: application/json” -H “cookie: {session_id}”

#5

So when trying the base command (I still have to use HTTPS instead of HTTP, which then means I must use -k since it is a self-signed certificate) I get the response ‘{“error”:“Unauthorized”,“reason”:“Login required”}’. This was true with a non-HTTPS set up as well, so I believe that providing a user is necessary when accessing the public port.