cockroach auth-session with the appropriate subcommands and flags.
Subcommands
Synopsis
Log in to the HTTP interface, generating an HTTP authentication token for a given user:Flags
All threeauth-session subcommands accept the standard .
In addition, the auth-session login subcommand supports the following flags.
Response
Thecockroach auth-session subcommands return the following fields.
auth-session login
auth-session logout
auth-session list
Required roles
To run any of theauth-session subcommands, you must be a member of the . The user being authenticated via login or logout does not require any special roles.
Considerations
- The
loginsubcommand allows users with the to create HTTP authentication tokens with an arbitrary duration. If operational policy requires stricter control of authentication sessions, you can:- Monitor the
system.web_sessionstable for all current and recent HTTP sessions. If you monitor this table regularly, consider adjusting theserver.log_gc.periodandserver.log_gc.max_deletions_per_cycleto fine tune garbage collection for this table. - Revoke HTTP authentication tokens as needed with the
logoutsubcommand. See the example. - Set the
--expire-afterflag with a shorter duration. See the example.
- Monitor the
- The
logoutsubcommand logs out all sessions for the given user; you cannot target individual sessions for logout. If more granular control of sessions is desired, consider setting the--expire-afterflag with a shorter duration. See the example.
Examples
Log in to the HTTP interface
Log in to the HTTP interface, by generating a new HTTP authentication token for theweb_user user:
Log in to the HTTP interface with a custom expiry
Log in to the HTTP interface, by generating a new HTTP authentication token for theweb_user user and specifying a token expiry of 4 hours and 30 minutes:
Log in to the HTTP interface with limited command output
Log in to the HTTP interface, by generating a new HTTP authentication token for theweb_user user, limiting command output to only the generated cookie:
curl using its --cookie flag:
Terminate all active sessions for a user
Terminate all active sessions for theweb_user user:
List all sessions
List all authenticated sessions to the HTTP interface, including currently active and recently expired sessions:NULL in the revoked column indicates that the session is still active.

