Skip to main content
To create and manage web sessions and authentication tokens to the HTTP interface from the command line, use the cockroach auth-session with the appropriate subcommands and flags.

Subcommands

Synopsis

Log in to the HTTP interface, generating an HTTP authentication token for a given user:
Log out from the HTTP interface, revoking all active HTTP authentication tokens for a given user:
List all authenticated sessions to the HTTP interface, including currently active and recently expired sessions:
View help:

Flags

All three auth-session subcommands accept the standard . In addition, the auth-session login subcommand supports the following flags.

Response

The cockroach auth-session subcommands return the following fields.

auth-session login

auth-session logout

auth-session list

Required roles

To run any of the auth-session subcommands, you must be a member of the . The user being authenticated via login or logout does not require any special roles.

Considerations

  • The login subcommand allows users with the to create HTTP authentication tokens with an arbitrary duration. If operational policy requires stricter control of authentication sessions, you can:
    • Monitor the system.web_sessions table for all current and recent HTTP sessions. If you monitor this table regularly, consider adjusting the server.log_gc.period and server.log_gc.max_deletions_per_cycle to fine tune garbage collection for this table.
    • Revoke HTTP authentication tokens as needed with the logout subcommand. See the example.
    • Set the --expire-after flag with a shorter duration. See the example.
  • The logout subcommand logs out all sessions for the given user; you cannot target individual sessions for logout. If more granular control of sessions is desired, consider setting the --expire-after flag with a shorter duration. See the example.

Examples

Log in to the HTTP interface

Log in to the HTTP interface, by generating a new HTTP authentication token for the web_user user:

Log in to the HTTP interface with a custom expiry

Log in to the HTTP interface, by generating a new HTTP authentication token for the web_user user and specifying a token expiry of 4 hours and 30 minutes:

Log in to the HTTP interface with limited command output

Log in to the HTTP interface, by generating a new HTTP authentication token for the web_user user, limiting command output to only the generated cookie:
This is useful if you intend to use the cookie with other command line tools. For example, you might output the generated cookie to a local file, and then pass that file to curl using its --cookie flag:
Of course you can also provide the cookie directly:

Terminate all active sessions for a user

Terminate all active sessions for the web_user user:
Note that the output may include recently revoked sessions for this user as well.

List all sessions

List all authenticated sessions to the HTTP interface, including currently active and recently expired sessions:
A value of NULL in the revoked column indicates that the session is still active.

See also