You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2018/01/16 22:14:21 UTC

[GitHub] wohali commented on issue #844: Security: Provide a Way to Delete Cookies

wohali commented on issue #844: Security: Provide a Way to Delete Cookies
URL: https://github.com/apache/couchdb/issues/844#issuecomment-358125361
 
 
   I haven't read or thought about your proposal, but anything that is backwards compatibility breaking couldn't possibly land until 3.0 at the earliest.
   
   If you are concerned about this problem in your own deployments, you can use CouchDB's [proxy authentication](http://docs.couchdb.org/en/latest/api/server/authn.html#proxy-authentication) with a proxy server like Apache HTTP Server handling the auth (via something like OAuth 2.0 or SAML) and bypass the entire problem.
   
   I know that some people were looking at alternatives to cookies for 3.0, i.e. something JWT-based perhaps. However, there are issues with them as well ([1](http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/), [2](http://cryto.net/%7Ejoepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/)).

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services