The behavior you request is actually the default behavior. I ran into this when I was expressly seeking the behavior you're trying to disable, and made a feature request, only to learn that it is indeed configurable. See this issue: https://github.com/apache/couchdb/issues/1598
In short, I believe that you simply need to disable the allow_persistent_cookies option in your configuration. On December 20, 2018 1:42:18 PM GMT+01:00, Mike Rhodes <couc...@dx13.co.uk> wrote: >Hi, > >Currently, _session cookies auto-renew. From what I can read of the >code, I think this is via [1] calling into [2], which will put a >Set-Cookie header on the response. > >What this means, I think, is that if I can retrieve your session cookie >in some way, then ensure I keep making calls within the expiration time >of the original cookie and it's auto-renewed descendants, I have an >ever-lasting way to access your CouchDB data. > >(Nearly everlasting, anyway, as the password update process will change >the password hashing salt which forms a part of what the cookie's >signature signs over. Nonetheless, this requires the user notice the >compromise and update their password to invalidate existing sessions. >For many attacks, it easy to get valuable data without tripping alarm >bells.) > >As far as I can see, this isn't a configurable option. What are the >thoughts of the list for removing the auto-renew function given its >security risks? From what I understand, this has been CouchDB's >behaviour ~forever, so I can see perhaps it's a risky change. > >[1]: >https://github.com/apache/couchdb/blob/be6de6f32d0be7147dce8ebe39dd54c07d7be31f/src/chttpd/src/chttpd.erl#L1140 >[2]: >https://github.com/apache/couchdb/blob/1347806d2feebce53325070b475f9e211d240ddf/src/couch/src/couch_httpd_auth.erl#L246 > >-- >Mike. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
