couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jan Lehnardt (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (COUCHDB-1073) DELETE _session doesn't delete the session. Client can still get user information using GET _session and with the session cookie retrieved.
Date Sat, 16 Apr 2011 22:18:05 GMT

     [ https://issues.apache.org/jira/browse/COUCHDB-1073?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jan Lehnardt resolved COUCHDB-1073.
-----------------------------------

    Resolution: Not A Problem

Since CouchDB doesn't track any /_session state, an explicit logout isn't possible. The default
timeout for sessions is 10 minutes, if that is a hazard, you can reduce it in the config.

> DELETE _session doesn't delete the session. Client can still get user information using
GET _session and with the session cookie retrieved.
> -------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1073
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1073
>             Project: CouchDB
>          Issue Type: Improvement
>            Reporter: Johnny Weng Luu
>
> When using DELETE _session CouchDB only sends a empty session cookie back.
> But if I use the original session cookie when using GET _session I can still get the
user information.
> https://gist.github.com/838996
> This could be a security flaw because when the user leaves the computer a hacker can
check out the session cookie and log in to account.
> Very bad if it's a very sensitive web application like financial.
> Isn't it better to just delete the session internally in couchdb when DELETE _session
is used. Then that session cookie the hacker gets won't matter because the session is already
gone.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message