couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Newson (JIRA)" <j...@apache.org>
Subject [jira] Commented: (COUCHDB-1066) cookie_authentication_handler does not throw if cookie is invalid or has expired
Date Sun, 13 Feb 2011 15:43:57 GMT

    [ https://issues.apache.org/jira/browse/COUCHDB-1066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12994112#comment-12994112
] 

Robert Newson commented on COUCHDB-1066:
----------------------------------------

Fix here: https://github.com/rnewson/couchdb/compare/COUCHDB-1066

summary: cookie_authentication_handler now throws unauthorized if there's an expired or invalid
AuthSession cookie, Futon now sends the Accept header and so does not rewrite the 401 as a
302.

I have verified that successful requires extend the lifetime of the cookie.

> cookie_authentication_handler does not throw if cookie is invalid or has expired
> --------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1066
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1066
>             Project: CouchDB
>          Issue Type: Bug
>    Affects Versions: 0.11.2, 1.0.2, 1.1
>            Reporter: Robert Newson
>            Assignee: Robert Newson
>            Priority: Critical
>
> cookie_authentication_handler does not throw if the cookie is invalid or has expired,
instead it delegates to the next handler.
> This leads to ugly results like getting a response from /_session but with no userCtx
filled in.
> cookie_authentication_handler should throw if, and only if, there's an AuthSession cookie
that is expired or invalid. We shouldn't attempt to try other auth schemes. If there is no
such cookie, then we delegate.

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message