Closed markusd closed 4 years ago
Out of curiosity is there a particular CouchDB version you are using that doesn't provide the Max-Age
attribute?
CouchDB 3.1.0 does not return it:
{"couchdb":"Welcome","version":"3.1.0","git_sha":"ff0feea20","uuid":"0befa9b1-b7b0-11ea-b05f-961ac42f4b44","features":["search","access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"IBM"}}
Set-Cookie: AuthSession=XXXX; Version=1; Secure; Path=/; HttpOnly
@ricellis Digged a bit further and it looks like this is happening when the database instance has allow_persistent_cookies = false
in the config.
https://docs.couchdb.org/en/stable/config/auth.html#authentication-configuration
yes, we came to the same conclusion
Hi, we ran into this problem over the past week and have eventually found this issue, which matches the behaviour we're seeing. We noticed there hasn't been a release since the 2nd of March - are there are plans to release version 4.2.5
containing this fix? We would really need this fix soon, to unblock our work. Thank you!
Yes, the milestone items are all in now and a release will be happening ASAP.
If you need to unblock faster, change your server configuration to use allow_persistent_cookies=true
which will give the cookies an expiry header.
Bug Description
The cookieauth plugin with
autoRenew=true
can get theTokenManager
into a state where it constantly renews the token. This happens if theMax-Age
cookie header field is missing.1. Steps to reproduce and the simplest code sample possible to demonstrate the issue
Connect using the cookieauth plugin and get a
Set-Cookie
HTTP header without theMax-Age
field.2. What you expected to happen
Cookie to be renewed after the
Max-Age
from theSet-Cookie
header, or thedefaultMaxAgeSecs
if not present.3. What actually happened
Cookie is renewed constantly
Environment details