[ https://issues.apache.org/jira/browse/COUCHDB-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Newson resolved COUCHDB-2042. ------------------------------------ Resolution: Invalid The DELETE method returns a header that instructs the user agent to discard the cookie they've stored. In your examples, you have not done so (curl supports options to read and write a cookie jar that you are not using). Cookies have an embedded timestamp, signed by the server, after which they are not considered valid. CouchDB does *not* have any knowledge of outstanding sessions and, thus, cannot delete sessions. If a browser is not clearing the cookie on sign out, that's a bug. This demonstration with curl is not demonstrating the bug you think it is. > Session not cleared after DELETE /_session (cookie auth) > -------------------------------------------------------- > > Key: COUCHDB-2042 > URL: https://issues.apache.org/jira/browse/COUCHDB-2042 > Project: CouchDB > Issue Type: Bug > Components: HTTP Interface > Affects Versions: 1.4.0, 1.5.0 > Reporter: Johannes J. Schmidt > Labels: security > > The session remains valid after deletion. > Steps to reproduce: > h3. Login > {code} > o@think:~$ curl -i -XPOST localhost:5984/_session > -d'{"name":"jo","password":"secure"}' -H'Content-Type:application/json' > HTTP/1.1 200 OK > Set-Cookie: AuthSession=am86NTJFOTE1NzM6s-jpL-0bFHe7K73tcJEYPymaXIU; > Version=1; Path=/; HttpOnly > Server: CouchDB/1.4.0 (Erlang OTP/R16B01) > Date: Wed, 29 Jan 2014 14:51:31 GMT > Content-Type: text/plain; charset=utf-8 > Content-Length: 43 > Cache-Control: must-revalidate > {"ok":true,"name":null,"roles":["_admin"]} > {code} > h3. Logout > {code} > jo@think:~$ curl -i -XDELETE localhost:5984/_session > HTTP/1.1 200 OK > Set-Cookie: AuthSession=; Version=1; Path=/; HttpOnly > Server: CouchDB/1.4.0 (Erlang OTP/R16B01) > Date: Wed, 29 Jan 2014 14:51:41 GMT > Content-Type: text/plain; charset=utf-8 > Content-Length: 12 > Cache-Control: must-revalidate > {"ok":true} > {code} > h3. Check session using previous cookie > {code} > jo@think:~$ curl -i localhost:5984/_session > -b'AuthSession=am86NTJFOTE1NzM6s-jpL-0bFHe7K73tcJEYPymaXIU; Version=1; > Path=/; HttpOnly' > HTTP/1.1 200 OK > Server: CouchDB/1.4.0 (Erlang OTP/R16B01) > Date: Wed, 29 Jan 2014 14:51:57 GMT > Content-Type: text/plain; charset=utf-8 > Content-Length: 173 > Cache-Control: must-revalidate > {"ok":true,"userCtx":{"name":"jo","roles":["_admin"]},"info":{"authentication_db":"_users","authentication_handlers":["oauth","cookie","default"],"authenticated":"cookie"}} > {code} -- This message was sent by Atlassian JIRA (v6.1.5#6160)