tudordumitriu opened a new issue #3840: URL: https://github.com/apache/couchdb/issues/3840
[NOTE]: # ( ^^ Provide a general summary of the issue in the title above. ^^ ) cookie_domain is not sent on 401 Unauthorized Set-Cookie header causing 2 AuthSession cookies to be sent ## Description We do have a special scenario because we are using the AuthSession cookie returned by CouchDB in other (third party / friendly) API calls (hence the cookie needs to be shared in subdomains - the API has the secret and can decode the cookie). Now the problem is that these services (include CouchDB) are published under the same domain (different subdomains - different IPs) so the only way to make sure the cookie is correctly shared is using the cookie_domain, which seems to be working fine. But, in the case of incorrect credentials, a (correct) 401 Response is returned by CouchDB and there is a Set-Cookie header with AuthSession=; (with no domain) that should reset/delete the cookie. If correct credentials are sent the second time CouchDB returns the correct Set-Cookie with AuthSession and Domain. Problem: Subsequent calls are getting 2 AuthSession cookies (first empty and second the correct one) but CouchDB returns 401 (unauthorized) ## Steps to Reproduce 1. Send incorrect credentials to /_session => Set-Cookie | AuthSession=; Version=1; Path=/; HttpOnly 2. Send correct credentials to /_session => Set-Cookie: AuthSession=XXXX; Version=1; Expires=Wed, 22-Dec-2021 17:41:26 GMT; Max-Age=2600000; Domain=domain.com; Path=/; HttpOnly; SameSite=Lax 3. Send call to /_users/org.couchdb.user%3AX will have Cookie AuthSession=; AuthSession=XXXX (both) ## Expected Behaviour When sending incorrect credentials the Set-Cookie domain to be included and therefore should be only one cookie [NOTE]: # ( Tell us what you expected to happen. ) ## Your Environment CouchDB version used: 3.1.1 Docker Image Via K8S Service (Azure AKS) Browser name and version: Chrome 96, Edge 96, Firefox 94 Operating system and version: Windows 10 Pro ## Additional Context [TIP]: # ( Add any other context about the problem here. ) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
