You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by "Johnny Weng Luu (JIRA)" <ji...@apache.org> on 2011/02/22 18:22:38 UTC
[jira] Created: (COUCHDB-1073) DELETE _session doesn't delete the
session. Client can still get user information using GET _session and with
the session cookie retrieved.
DELETE _session doesn't delete the session. Client can still get user information using GET _session and with the session cookie retrieved.
-------------------------------------------------------------------------------------------------------------------------------------------
Key: COUCHDB-1073
URL: https://issues.apache.org/jira/browse/COUCHDB-1073
Project: CouchDB
Issue Type: Improvement
Reporter: Johnny Weng Luu
When using DELETE _session CouchDB only sends a empty session cookie back.
But if I use the original session cookie when using GET _session I can still get the user information.
https://gist.github.com/838996
This could be a security flaw because when the user leaves the computer a hacker can check out the session cookie and log in to account.
Very bad if it's a very sensitive web application like financial.
Isn't it better to just delete the session internally in couchdb when DELETE _session is used. Then that session cookie the hacker gets won't matter because the session is already gone.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (COUCHDB-1073) DELETE _session doesn't delete the
session. Client can still get user information using GET _session and with
the session cookie retrieved.
Posted by "Jan Lehnardt (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-1073?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Lehnardt resolved COUCHDB-1073.
-----------------------------------
Resolution: Not A Problem
Since CouchDB doesn't track any /_session state, an explicit logout isn't possible. The default timeout for sessions is 10 minutes, if that is a hazard, you can reduce it in the config.
> DELETE _session doesn't delete the session. Client can still get user information using GET _session and with the session cookie retrieved.
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: COUCHDB-1073
> URL: https://issues.apache.org/jira/browse/COUCHDB-1073
> Project: CouchDB
> Issue Type: Improvement
> Reporter: Johnny Weng Luu
>
> When using DELETE _session CouchDB only sends a empty session cookie back.
> But if I use the original session cookie when using GET _session I can still get the user information.
> https://gist.github.com/838996
> This could be a security flaw because when the user leaves the computer a hacker can check out the session cookie and log in to account.
> Very bad if it's a very sensitive web application like financial.
> Isn't it better to just delete the session internally in couchdb when DELETE _session is used. Then that session cookie the hacker gets won't matter because the session is already gone.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (COUCHDB-1073) DELETE _session doesn't delete
the session. Client can still get user information using GET _session and
with the session cookie retrieved.
Posted by "Robert Newson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-1073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13199718#comment-13199718 ]
Robert Newson commented on COUCHDB-1073:
----------------------------------------
DELETE _session returns a response that clears the clients AuthSession cookie.
> DELETE _session doesn't delete the session. Client can still get user information using GET _session and with the session cookie retrieved.
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: COUCHDB-1073
> URL: https://issues.apache.org/jira/browse/COUCHDB-1073
> Project: CouchDB
> Issue Type: Improvement
> Reporter: Johnny Weng Luu
>
> When using DELETE _session CouchDB only sends a empty session cookie back.
> But if I use the original session cookie when using GET _session I can still get the user information.
> https://gist.github.com/838996
> This could be a security flaw because when the user leaves the computer a hacker can check out the session cookie and log in to account.
> Very bad if it's a very sensitive web application like financial.
> Isn't it better to just delete the session internally in couchdb when DELETE _session is used. Then that session cookie the hacker gets won't matter because the session is already gone.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (COUCHDB-1073) DELETE _session doesn't delete
the session. Client can still get user information using GET _session and
with the session cookie retrieved.
Posted by "Dave Cottlehuber (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-1073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13199695#comment-13199695 ]
Dave Cottlehuber commented on COUCHDB-1073:
-------------------------------------------
I discovered the same issue last night; still digging in the code but this just smells bad. What does DELETE _session actually do then?
> DELETE _session doesn't delete the session. Client can still get user information using GET _session and with the session cookie retrieved.
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: COUCHDB-1073
> URL: https://issues.apache.org/jira/browse/COUCHDB-1073
> Project: CouchDB
> Issue Type: Improvement
> Reporter: Johnny Weng Luu
>
> When using DELETE _session CouchDB only sends a empty session cookie back.
> But if I use the original session cookie when using GET _session I can still get the user information.
> https://gist.github.com/838996
> This could be a security flaw because when the user leaves the computer a hacker can check out the session cookie and log in to account.
> Very bad if it's a very sensitive web application like financial.
> Isn't it better to just delete the session internally in couchdb when DELETE _session is used. Then that session cookie the hacker gets won't matter because the session is already gone.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (COUCHDB-1073) DELETE _session doesn't delete
the session. Client can still get user information using GET _session and
with the session cookie retrieved.
Posted by "Ian Bull (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-1073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13199417#comment-13199417 ]
Ian Bull commented on COUCHDB-1073:
-----------------------------------
Hi everyone,
Maybe I'm mistaken, but isn't the UserCtx fetched from the /_sessions and used for things like AuthDocs? Since the session is not actually deleted when the user logs out, you can easily "simulate" a user by sending a AuthSession=XXX in your HTTP header. This would fetch the UserCtx from the /_sessions DB and use that for all DB actions (update documents, etc...).
If the DELETE _session actually removed this session, then one a user hits "logout" nobody could "simulate" their session.
Again, maybe I'm wrong / mistaken. I'm just getting into the details of this now.
> DELETE _session doesn't delete the session. Client can still get user information using GET _session and with the session cookie retrieved.
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: COUCHDB-1073
> URL: https://issues.apache.org/jira/browse/COUCHDB-1073
> Project: CouchDB
> Issue Type: Improvement
> Reporter: Johnny Weng Luu
>
> When using DELETE _session CouchDB only sends a empty session cookie back.
> But if I use the original session cookie when using GET _session I can still get the user information.
> https://gist.github.com/838996
> This could be a security flaw because when the user leaves the computer a hacker can check out the session cookie and log in to account.
> Very bad if it's a very sensitive web application like financial.
> Isn't it better to just delete the session internally in couchdb when DELETE _session is used. Then that session cookie the hacker gets won't matter because the session is already gone.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (COUCHDB-1073) DELETE _session doesn't delete
the session. Client can still get user information using GET _session and
with the session cookie retrieved.
Posted by "Sam Stainsby (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-1073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510427#comment-13510427 ]
Sam Stainsby commented on COUCHDB-1073:
---------------------------------------
I saw this behaviour today, and thought it might be a problem. But then I read this:
http://appsandsecurity.blogspot.com.au/2011/04/rest-and-stateless-session-ids.html
which I guess is what's happening here.
> DELETE _session doesn't delete the session. Client can still get user information using GET _session and with the session cookie retrieved.
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: COUCHDB-1073
> URL: https://issues.apache.org/jira/browse/COUCHDB-1073
> Project: CouchDB
> Issue Type: Improvement
> Reporter: Johnny Weng Luu
>
> When using DELETE _session CouchDB only sends a empty session cookie back.
> But if I use the original session cookie when using GET _session I can still get the user information.
> https://gist.github.com/838996
> This could be a security flaw because when the user leaves the computer a hacker can check out the session cookie and log in to account.
> Very bad if it's a very sensitive web application like financial.
> Isn't it better to just delete the session internally in couchdb when DELETE _session is used. Then that session cookie the hacker gets won't matter because the session is already gone.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira