Skip to main content
To create and manage web sessions and authentication tokens to the HTTP interface from the command line, use the cockroach auth-session with the appropriate subcommands and flags.

Subcommands

SubcommandUsage
loginAuthenticate a user against a running cluster’s HTTP interface, generating an HTTP authentication token (a “cookie”) which can also be used by non-interactive HTTP-based database management tools. Must be used with a valid, existing user. May be used to generate a cookie for the root user.
logoutRevokes all previously-issued HTTP authentication tokens for the given user.
listList all authenticated sessions to the HTTP interface, including currently active and recently expired sessions.

Synopsis

Log in to the HTTP interface, generating an HTTP authentication token for a given user:
Log out from the HTTP interface, revoking all active HTTP authentication tokens for a given user:
List all authenticated sessions to the HTTP interface, including currently active and recently expired sessions:
View help:

Flags

All three auth-session subcommands accept the standard . In addition, the auth-session login subcommand supports the following flags.
FlagDescription
--expire-afterDuration of the newly-created HTTP authentication token, after which the token expires. Specify the duration in numeric values suffixed by one or more of h, m, and s to indicate hour, minute, and second duration. See the example.

Default: 1h0m0s (1 hour)
--only-cookieLimits output to only the newly-created HTTP authentication token (the “cookie”) in the response, appropriate for output to other commands. See the example.

Response

The cockroach auth-session subcommands return the following fields.

auth-session login

FieldDescription
usernameThe username of the user authenticated.
session IDThe session ID to the HTTP interface previously established for that user.
authentication cookieThe cookie that may be used from the command line, or from other tools, to authenticate access to the HTTP interface for that user.

auth-session logout

FieldDescription
usernameThe username of the user whose session was revoked.
session IDThe session ID to the HTTP interface previously established for that user.
revokedThe date and time of revocation for that user’s authenticated session.

auth-session list

FieldDescription
usernameThe username of the user authenticated.
session IDThe session ID to the HTTP interface established for that user.
createdThe date and time a session was created.
expiredThe date and time a session expired.
revokedThe date and time of revocation for that user’s authenticated session. If the session is still active, this will appear as NULL.
last usedThe date and time of the last access to the HTTP interface using this session token.

Required roles

To run any of the auth-session subcommands, you must be a member of the . The user being authenticated via login or logout does not require any special roles.

Considerations

  • The login subcommand allows users with the to create HTTP authentication tokens with an arbitrary duration. If operational policy requires stricter control of authentication sessions, you can:
    • Monitor the system.web_sessions table for all current and recent HTTP sessions. If you monitor this table regularly, consider adjusting the server.log_gc.period and server.log_gc.max_deletions_per_cycle to fine tune garbage collection for this table.
    • Revoke HTTP authentication tokens as needed with the logout subcommand. See the example.
    • Set the --expire-after flag with a shorter duration. See the example.
  • The logout subcommand logs out all sessions for the given user; you cannot target individual sessions for logout. If more granular control of sessions is desired, consider setting the --expire-after flag with a shorter duration. See the example.

Examples

Log in to the HTTP interface

Log in to the HTTP interface, by generating a new HTTP authentication token for the web_user user:

Log in to the HTTP interface with a custom expiry

Log in to the HTTP interface, by generating a new HTTP authentication token for the web_user user and specifying a token expiry of 4 hours and 30 minutes:

Log in to the HTTP interface with limited command output

Log in to the HTTP interface, by generating a new HTTP authentication token for the web_user user, limiting command output to only the generated cookie:
This is useful if you intend to use the cookie with other command line tools. For example, you might output the generated cookie to a local file, and then pass that file to curl using its --cookie flag:
Of course you can also provide the cookie directly:

Terminate all active sessions for a user

Terminate all active sessions for the web_user user:
Note that the output may include recently revoked sessions for this user as well.

List all sessions

List all authenticated sessions to the HTTP interface, including currently active and recently expired sessions:
A value of NULL in the revoked column indicates that the session is still active.

See also