Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

replicator session auth cannot handle multiple Set-Cookie headers in /_session request #5064

Closed
janl opened this issue May 21, 2024 · 1 comment · Fixed by #5066
Closed

replicator session auth cannot handle multiple Set-Cookie headers in /_session request #5064

janl opened this issue May 21, 2024 · 1 comment · Fixed by #5066
Labels
bug needs-triage

Comments

@janl
Copy link
Member

janl commented May 21, 2024
edited
Loading

A HTTP response for /_session that includes two Set-Cookie headers leads to a {error, cookie_format_invalid}; error and failed replication job/

For example. a load balancer could introduce its own Set-Cookie lines:

< Set-Cookie: AuthSession=…; Version=1; Expires=Tue, 21-May-2024 14:24:57 GMT; Max-Age=600; Secure; Path=/; HttpOnly
< Set-Cookie: BIGipServer~example.com=1234567890.18459.0000; path=/; Httponly; Secure

And the session auth handler doesn’t handle this correctly. The only workaround is forcing the _noop handler which has other downsides.
@nickva
Copy link
Contributor

nickva commented May 21, 2024
edited
Loading

Playing a bit with mochiweb headers parser, I think we may have to use mochiweb_headers:to_list/1, then go through each 'Set-Cookie' parse out the cookie and ignore any not coming from CouchDB?

Heads = mochiweb_headers:from_binary([<<"Content-Length:47\r\n">>, <<"Set-Cookie:Custom=ABC; Version=42\r\n">>, <<"Foo:bar\r\n">>, <<"sEt-cOokie:Kustom=DEF; Version=43\r\n\rn">>]), ok.
ok

> mochiweb_headers:get_value("set-cookie", Heads).
"Kustom=DEF; Version=43, Custom=ABC; Version=42"

> mochiweb_headers:get_primary_value("set-cookie", Heads).
"Kustom=DEF"

> mochiweb_headers:get_combined_value("set-cookie", Heads).
undefined

> mochiweb_headers:to_list(Heads).
[{'Content-Length',"47"},
 {"Foo","bar"},
 {'Set-Cookie',"Kustom=DEF; Version=43"},
 {'Set-Cookie',"Custom=ABC; Version=42"}]

nickva added a commit that referenced this issue May 22, 2024
@nickva
Handle multiple Set-Cookie headers in replicator session plugin
a4eacd7 
Previously, replicator auth session plugin crashed if additional cookie headers
were added besides the default `AuthSession` one.

Fix replicator session plugin to consider only `Set-Cookie` headers with
'AuthSession' set and ignore others.

Co-Authored-By: Robert Newson <rnewson@apache.org>

Fix: #5064
@nickva nickva mentioned this issue May 22, 2024
Merged
nickva added a commit that referenced this issue May 22, 2024
@nickva
Handle multiple Set-Cookie headers in replicator session plugin
8405bad 
Previously, replicator auth session plugin crashed if additional cookie headers
were added besides the default `AuthSession` one.

Fix replicator session plugin to consider only `Set-Cookie` headers with
'AuthSession' set and ignore others.

Co-Authored-By: Robert Newson <rnewson@apache.org>

Fix: #5064
big-r81 pushed a commit that referenced this issue May 22, 2024
@nickva @big-r81
Handle multiple Set-Cookie headers in replicator session plugin
5ad379e 
Previously, replicator auth session plugin crashed if additional cookie headers
were added besides the default `AuthSession` one.

Fix replicator session plugin to consider only `Set-Cookie` headers with
'AuthSession' set and ignore others.

Co-Authored-By: Robert Newson <rnewson@apache.org>

Fix: #5064
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug needs-triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Handle multiple Set-Cookie headers in replicator session plugin apache/couchdb
2 participants
@janl @nickva