How to configure cookie authentication expiration on Cloudant? - couchdb

Using cookie authentication on Cloudant, is is possible to adjust the life of the cookie?
On a normal CouchDB setup "the session timeout is specified by the "timeout" parameter in the "couch_httpd_auth" section of the configuration. If not specified it defaults to 600 seconds (10 minutes)." I haven't found this option in the Cloudant dashboard.

The lifespan of a cookie is not configurable by the user in Cloudant. Cookies timeout after 24 hours.

Related

Where is the session timeout limit defined for the OAuth2 authentication?

To my understanding, the Oauth2 client uses a session for user login-in management. I, however, can't find where the timeout limit is defined. I am asked to ensure the timeout limit is 15 minutes. Where is the limit defined?
On application.yml, there are 2 parameters for token expiration:

Enforcing inactivity timeout using passport with auth0

I am trying to enforce user logout after a period of inactivity, but I have had no luck.
I have a node web application that is using Auth0 and Passport for authentication. I have set the inactivity timeout on the tenant (from the tenant settings page on Auth0) and modified the jwt expiration on the application settings page, but none of these changes have had an effect on the behavior of the application.
Other information: in the application settings, I have set this as a Regular Web Application, and I have tried Basic and Post for Token Endpoint Authentication Method.
I have followed the node JS quickstart guide that Auth0 provides, as well as one of their blog posts using express-session, passport, and passport-auth0. I am configuring express-session and passport in the order that these two posts show, so I don't think that is the issue. I am guessing that there is an extra step needed to implement this functionality, but I can't find any documentation on Auth0's site or Passport's. I am also confused as to why these values are configurable if they don't seem to have any effect.
When I manually set the maxAge value in express-session's settings, I do see the application make a call to Auth0. However, this is not based on inactivity, and that is my primary goal here.
I work with the Auth0 Community and you are able to configure this as a setting with your Auth0 Tenant as described in the below documentation:
The intent of this approach allows the session to go inactive if the
user is no longer present, but otherwise provides a means to trigger
the silent token refresh so that they can continue their session
without the need to be prompted again for credentials.
Inactivity Timer: A rolling timer should be added to the React SDK
wrapper that aligns with the maximum idle lifetime of the Auth0
session. Each time a token is returned to the application the timer
should be reset.
Timeout Modal: When the timer hits 60 seconds from expiration a
timeout modal should render requesting the user to logout or continue
their session.
Continue the session: In the case the user chooses to continue their
session the getTokenSilently() method can be used to request a new
token without needing to redirect the user from the page they are
currently interacting with.
Logging out: In the case the user chooses to logout the logout()
method should be called to assure the Auth0 session is ended as well.
Idle Timeout: In the case that the idle timeout is reached no
immediate action is necessary. To handle the fact that the user may
still be active in another tab, the behavior should not be to log the
user out.
https://auth0.com/docs/sessions/concepts/session-lifetime
I hope this helps you on your quest!

How to expires the ember-simple-auth session?

I am using ember-simple-auth for authentication in my application. I have created my custom Authenticator. Upon successful authentication, the server returns the token and expire time which I store in session storage of simple-auth.
My question is how do I expires or invalidate this session based on the expire time set in the session?
I also need to invalidate the session on browser close event.
Thanks.
You can simply call the session's invalidate method. To call that after the expiration time that your server returns you could setup a timer with Ember.run.later or use automatic token refreshing as defined in the OAuth 2.0 standard which Ember Simple Auth OAuth 2.0 supports out of the box.

How to renew session in CouchDB

I am using COUCHDB built in Session API in my application. I now want to renew the session as every user logs in, also i do not want to give a long expiry time to the session.
I don't really understand your question. It doesn't make sense that you want to "renew the session as every user logs in".
The whole idea of a session is that it's a per-user-login session. Each user who logs in should trigger a POST /_session request to your CouchDB server, that will respond with an AuthSession cookie which is then what you send back in subsequent requests and that's your session cookie.
The next user who logs in should generate another POST /_session which will create a new session cookie for that user. So there's no renewal as every user logs in.
Now, the expiry on the session is set by the timeout setting in the [couch_httpd_auth] and defaults to 10 minutes. If you want it shorter than that then adjust that setting in your local.ini
So, finally, if you ever want to explicitly remove the session, eg. from a "logout" button, then you do that by sending a DELETE /_session request.

Do you change an authentication token for a cookie-authenticated user? If so, how often?

When a user logs in, I give them a cookie named auth with a value that is a GUID, which expires in 2 weeks. I save the hashed GUID in the database with a salt of their userID and then date when it expires. When a user accesses the site, I check for the cookie and log them in if it matches and hasn't expired in the database.
At some point before the 2 weeks is up I was thinking about updating the row and increasing the expire date.How often do you do this? Every page request seems too often since I will be constantly writing to the user table.
I was also considering changing the auth cookie value at this time. The downside of this is you cannot be authenticated at multiple computers / browsers.
I could accomplish this via a session cookie, so that it this rewrite only happens once per session. When a user accesses a page, I check for a session cookie named authenticated. If it's not there, I give them a new auth cookie value and authentication session cookie and bump the expiry times in the DB and auth cookie. If it is, I just validate off of the auth cookie.
It seems like StackOverflow never changes their auth cookie until you log out and log back in. This seems to make it more vulnerable to session hijacking- if you get the auth cookie, you have access to the users account until they log in again. Since their auth cookie won't expire or change the user will not be logged out by you logging in.
Do you allow a user to log in from multiple locations/browers?
If not, how often do you change their authentication tokens?
It depends on the level of security, places where I have worked it normally has to be kinda high.
No we do not allow people to log in from multiple browsers.
We make people login again after 20 minutes of inactivity. Depending on how accurate you want to be on timing the person out determines how often you want to update the token. I've been places where it the expiration time is updated everytime the user sends a post back to the system.
Hrm I found all of my answers here. Looks like I need a join table >.<.
http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/

Resources