You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@couchdb.apache.org by "Jan Lehnardt (JIRA)" <ji...@apache.org> on 2011/04/16 21:28:05 UTC

[jira] [Commented] (COUCHDB-1066) cookie_authentication_handler does not throw if cookie is invalid or has expired

    [ https://issues.apache.org/jira/browse/COUCHDB-1066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13020647#comment-13020647 ] 

Jan Lehnardt commented on COUCHDB-1066:
---------------------------------------

Looks straightforward. +1.

> cookie_authentication_handler does not throw if cookie is invalid or has expired
> --------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1066
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1066
>             Project: CouchDB
>          Issue Type: Bug
>    Affects Versions: 0.11.2, 1.0.2, 1.1
>            Reporter: Robert Newson
>            Assignee: Robert Newson
>            Priority: Critical
>
> cookie_authentication_handler does not throw if the cookie is invalid or has expired, instead it delegates to the next handler.
> This leads to ugly results like getting a response from /_session but with no userCtx filled in.
> cookie_authentication_handler should throw if, and only if, there's an AuthSession cookie that is expired or invalid. We shouldn't attempt to try other auth schemes. If there is no such cookie, then we delegate.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira