couchdb icon indicating copy to clipboard operation
couchdb copied to clipboard
verified publisher icon apache

chttpd_auth with cookie_domain is not returning the domain in cookie in Unauthorized sessions (401) and subsequent authenticated calls will include 2 AuthSession cookies and no calls will further work

Open tudordumitriu opened this issue 4 years ago • 6 comments

cookie_domain is not sent on 401 Unauthorized Set-Cookie header causing 2 AuthSession cookies to be sent

Description

We do have a special scenario because we are using the AuthSession cookie returned by CouchDB in other (third party / friendly) API calls (hence the cookie needs to be shared in subdomains - the API has the secret and can decode the cookie). Now the problem is that these services (include CouchDB) are published under the same domain (different subdomains - different IPs) so the only way to make sure the cookie is correctly shared is using the cookie_domain, which seems to be working fine. But, in the case of incorrect credentials, a (correct) 401 Response is returned by CouchDB and there is a Set-Cookie header with AuthSession=; (with no domain) that should reset/delete the cookie. If correct credentials are sent the second time CouchDB returns the correct Set-Cookie with AuthSession and Domain. Problem: Subsequent calls are getting 2 AuthSession cookies (first empty and second the correct one) but CouchDB returns 401 (unauthorized)

Steps to Reproduce

  1. Send incorrect credentials to /_session => Set-Cookie | AuthSession=; Version=1; Path=/; HttpOnly
  2. Send correct credentials to /_session => Set-Cookie: AuthSession=XXXX; Version=1; Expires=Wed, 22-Dec-2021 17:41:26 GMT; Max-Age=2600000; Domain=domain.com; Path=/; HttpOnly; SameSite=Lax
  3. Send call to /_users/org.couchdb.user%3AX will have Cookie AuthSession=; AuthSession=XXXX (both)

Expected Behaviour

When sending incorrect credentials the Set-Cookie domain to be included and therefore should be only one cookie NOTE: # ( Tell us what you expected to happen. )

Your Environment

CouchDB version used: 3.1.1 Docker Image Via K8S Service (Azure AKS) Browser name and version: Chrome 96, Edge 96, Firefox 94 Operating system and version: Windows 10 Pro

Additional Context

tudordumitriu avatar Nov 22 '21 15:11 tudordumitriu

addressed in #3869 and #3870.

rnewson avatar Dec 10 '21 00:12 rnewson

Hi @rnewson I see the comment this was addressed and we are running 3.2.2. but the bug is still replicating. Was this released in 3.2.2. and is there anything special we have to configure? Thanks

tudordumitriu avatar Jul 07 '22 08:07 tudordumitriu

@tudordumitriu hm, those fixes do not appear to be present in 3.2.2.

rnewson avatar Jul 07 '22 11:07 rnewson

we will figure out why the fixes did not get released yet and make a new release that includes them in due course.

rnewson avatar Jul 07 '22 11:07 rnewson

we released 3.2.2 off of 3.2.1 + a few manual backports from 3.x plus the cookie=monster security issue. at the time 3.x had been in flux enough to not be a stable base for a quick and safe security release. The commit that fixes this in 3.x had not been part of the commits that were backported into 3.2.2.

janl avatar Jul 07 '22 12:07 janl

Hi guys and thanks for the reply! When do you think this will get released? Will there be a 3.2.3 soon?

tudordumitriu avatar Jul 15 '22 12:07 tudordumitriu

Closing this, because it's fixed in main. I can't give you an date, where a new version is release. You can compile CouchDB, if you need a version with a fix.

big-r81 avatar Aug 23 '22 12:08 big-r81