Hi, Currently, _session cookies auto-renew. From what I can read of the code, I think this is via [1] calling into [2], which will put a Set-Cookie header on the response.
What this means, I think, is that if I can retrieve your session cookie in some way, then ensure I keep making calls within the expiration time of the original cookie and it's auto-renewed descendants, I have an ever-lasting way to access your CouchDB data. (Nearly everlasting, anyway, as the password update process will change the password hashing salt which forms a part of what the cookie's signature signs over. Nonetheless, this requires the user notice the compromise and update their password to invalidate existing sessions. For many attacks, it easy to get valuable data without tripping alarm bells.) As far as I can see, this isn't a configurable option. What are the thoughts of the list for removing the auto-renew function given its security risks? From what I understand, this has been CouchDB's behaviour ~forever, so I can see perhaps it's a risky change. [1]: https://github.com/apache/couchdb/blob/be6de6f32d0be7147dce8ebe39dd54c07d7be31f/src/chttpd/src/chttpd.erl#L1140 [2]: https://github.com/apache/couchdb/blob/1347806d2feebce53325070b475f9e211d240ddf/src/couch/src/couch_httpd_auth.erl#L246 -- Mike.
