Cookie based authentication doesn't expire properly

Hi there!

I am using cookie based authentication. I have a server which creates a session on the Sync Gateway, then passes the cookie details to a client. The client creates a Replicator which connects to the Sync Gateway. I use the setCookie method using the cookie details and a timeout of 10 seconds. The problem is that the Sync Gateway is still accepting changes from the Replicator after the 10 seconds have expired. I think that I may not be understanding the process correctly. Is the following basically correct?

  • The Replicator (via setCookie) uses the cookie in a header to perform authentication with the Sync Gateway

  • When the cookie expires, the authentication should fail and the Sync Gateway should return a 403

I read in an earlier forum answer that you should be able to see the cookie details for a session (including timeout) by doing a GET on the session, but I only see that the session uses cookie authentication and no details about the cookie itself! Should I be doing something different to get this information?

Also in the Sync Gateway I see the following log:

Changes+: Changes POST request.  URL: /data/_changes?feed=normal&heartbeat=30000&style=all_docs&active_only=true&filter=sync_gateway%2Fbychannel, feed: normal, options: {Since:0 Limit:0 Conflicts:true IncludeDocs:false Wait:false Continuous:false Terminator:<nil> HeartbeatMs:30000 TimeoutMs:300000 ActiveOnly:true}, filter: sync_gateway/bychannel, bychannel: [rwdhupz5Masow08Yn6fyRnrUAI], docIds: []   (to ArtVandelay.Z4kAcFoY8MoEdqiMtK46Oloz)

This log seems to show some information about the replicator and I see a timeout of 300000 ms. Should this value be the timeout value in the cookie? If so, then my issue is that value that I’m setting isn’t being honoured and I can investigate why that is the case. If not, can you tell me what this timeout is used for?

Finally, I wanted to mention that I do not have guest access to the Sync Gateway enabled.

Edit: I’m using Couchbase Lite 1.4 and Sync Gateway 1.5.0.

Thanks so much,
Justin

IIRC, Couchbase Lite only checks cookie expiration when it reads the cookie out of the database at the start of a replication. Once the replication starts it will keep using the same cookie. HTTP cookie expiration is just to allow the client to garbage-collect old cookies; it is not a way to enforce session lifetimes.

The expiration of a session is really handled on the server (SG), which defaults to 24 hours. Cookie expiration dates are never sent to an HTTP server,; only the cookie name/value pair. So the server has no idea you intended to make the cookie expire after 10 seconds and will keep honoring it until the session expires on its end.

Ok this makes sense to me now, thanks for your help!