How to invalidate a users token in CouchDB?

Question

The offical documentation states the following about deleting a users cookie: Link

DELETE /_session

Closes user’s session by instructing the browser to clear the cookie. This does not invalidate the session from the server’s perspective, as there is no way to do this because CouchDB cookies are stateless. This means calling this endpoint is purely optional from a client perspective, and it does not protect against theft of a session cookie.

I can invalidate the cookie on the client but what if somebody siphons the AuthSession=123abc and uses it on the quiet? Isn't this a security problem?

I would like to know how I can avoid this behavior and really destroy the cookie because I would like to have a somewhat secure application with CouchDB.

Answer 1

I'm certain I've answered this question before, but I can't find the duplicate question, so here goes again:

The cookie is a simple hash of the user's login name, the time the cookie was created, the user's password salt, and the server's secret.

This means that to invalidate an existing cookie, you must either wait for enough time to pass that the created timestamp is far enough in the past that the cookie is not considered valid, or change one of the other parts of the hash.

In effect, this typically means it's impossible, because:

1. Changing the user name means the user will no longer be able to log in.
2. Changing the user's password salt will also mean the user can no longer log in, unless you also store the user's plaintext password, so that their password hash can be re-calculated. (probably a very bad idea)
3. Changing the server secret will render all sessions invalid for all users, not just the one you're targeting.

If invalidating active sessions is a hard requirement of your application, it's best done in a reverse proxy server that handles authentication, and uses proxy authentication to interact with CouchDB.