You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@couchdb.apache.org by "Ryan Ramage (JIRA)" <ji...@apache.org> on 2013/05/08 20:43:15 UTC

[jira] [Commented] (COUCHDB-1073) DELETE _session doesn't delete the session. Client can still get user information using GET _session and with the session cookie retrieved.

    [ https://issues.apache.org/jira/browse/COUCHDB-1073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13652205#comment-13652205 ] 

Ryan Ramage commented on COUCHDB-1073:
--------------------------------------

Ok, ran into this issue...maybe unrelated, but will post what I found here in case it helps.

I saw the same behaviour. A DELETE _session call, with a response to empty the AuthSession cookie. Then the second GET to _session returned the auth details. I was a little perplexed. Later I found there was the 'https' section 'WWW-Authenticate Basic' realm="Mobile Web Services", which on first hit causes a basic auth dialog. Logout, and login the browser caches the basic auth and sends it with the second get. I assume the same thing will happen if 'require_valid_user' is true.

So I dont believe the original problem of this issue exists, it was just being exposed based on other settings. 

                
> DELETE _session doesn't delete the session. Client can still get user information using GET _session and with the session cookie retrieved.
> -------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1073
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1073
>             Project: CouchDB
>          Issue Type: Improvement
>            Reporter: Johnny Weng Luu
>
> When using DELETE _session CouchDB only sends a empty session cookie back.
> But if I use the original session cookie when using GET _session I can still get the user information.
> https://gist.github.com/838996
> This could be a security flaw because when the user leaves the computer a hacker can check out the session cookie and log in to account.
> Very bad if it's a very sensitive web application like financial.
> Isn't it better to just delete the session internally in couchdb when DELETE _session is used. Then that session cookie the hacker gets won't matter because the session is already gone.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira