couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johnny Weng Luu (JIRA)" <j...@apache.org>
Subject [jira] Created: (COUCHDB-1073) DELETE _session doesn't delete the session. Client can still get user information using GET _session and with the session cookie retrieved.
Date Tue, 22 Feb 2011 17:22:38 GMT
DELETE _session doesn't delete the session. Client can still get user information using GET
_session and with the session cookie retrieved.
-------------------------------------------------------------------------------------------------------------------------------------------

                 Key: COUCHDB-1073
                 URL: https://issues.apache.org/jira/browse/COUCHDB-1073
             Project: CouchDB
          Issue Type: Improvement
            Reporter: Johnny Weng Luu


When using DELETE _session CouchDB only sends a empty session cookie back.

But if I use the original session cookie when using GET _session I can still get the user
information.

https://gist.github.com/838996

This could be a security flaw because when the user leaves the computer a hacker can check
out the session cookie and log in to account.

Very bad if it's a very sensitive web application like financial.

Isn't it better to just delete the session internally in couchdb when DELETE _session is used.
Then that session cookie the hacker gets won't matter because the session is already gone.

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message