You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2019/04/01 03:53:20 UTC

[GitHub] [couchdb] realulim opened a new issue #844: Add new explicit authentication-tokens that can be revoked

realulim opened a new issue #844: Add new explicit authentication-tokens that can be revoked
URL: https://github.com/apache/couchdb/issues/844
 
 
   All token-based authentication schemes are vulnerable to CSRF (Cross Site Request Forgery) attacks. In the case of cookies there is an additional risk involved, because the browser sends the cookie automatically with every request. Thus if the user simply clicks on a malicious link during a CouchDB session, he will send the cookie to the attacker, who will then be able to take over the session.
   
   This is a built-in problem with Cookie-based authentication schemes, but CouchDB makes it worse by not providing a way to delete the stateless token upon logout of the user. That means that the attacker can indefinitely use the captured cookie just by sending a ping every 10 minutes - the token will never expire.
   
   I think this is a security issue and should be fixed. Anyone in possession of the stateless token should be able to delete it.
   
   ## Expected Behavior
   After calling the DELETE /_session endpoint the session should be invalidated on the server.
   
   ## Current Behavior
   The stateless token is not deleted (as per section 10.2.15 of the documentation).
   
   ## Possible Solution
   I have no suggestions, because I'm not sure what the problem is with deleting the stateless tokens. In case it has something to do with distribution, I would suggest that eventual consistency is good enough here. As well if it were possible to set the expiry date - a slightly more complicated way to get rid of the cookie, but it would suffice.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services