couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Hilbig <>
Subject Re: persistent cookie authorization
Date Thu, 03 Mar 2011 23:40:29 GMT
On 02.03.2011 08:17, Mark Hahn wrote:
> If you don't mind, can you explain your idea in a bit more detail?  I
> need ideas.

i guess my thought would need digging into erlang and write another 
"authentication handler" but i dont know where they are documented.

i wanted to say, with that new authentication handler you could add 
another cookie_passwd_sha1 field to your _users documents which is 
basically the cookie you provided to the user earlier, just also hashed.

but cant increasing couch_httpd_auth:timeout config option help you?

> I appreciate the reference to the wiki page but it sure is a mess.  I
> couldn't make heads nor tails out of it.  Is there a page that spells
> out what auth handlers are provided and how they function?

it's probably hidden therein like [2].

sorry if it doesnt make sense nor help you, i got nothing more to say, 
was just a quick shot.

have fun


> On Tue, Mar 1, 2011 at 11:02 PM, Martin Hilbig<>  wrote:
>> just a quick idea: how about a auth handler[1] which uses the cookie as
>> second passwd and creates a new one afterwards?
>> have fun
>> martin
>> [1]:
>> On 02.03.2011 06:51, Mark Hahn wrote:
>>> I would like to have the features of the cookie authorization built
>>> into couchdb with the _users table, but allow the user to stay logged
>>> in even after their browser is closed or the db is restarted.
>>> I could store the sha hash in a cookie and check it against their doc
>>> from _users, but after I've done that, how do I get them logged into
>>> couchdb with a token?  The only way I can figure out how to do this is
>>> to store the user's password in the clear which defeats the whole
>>> point of storing the sha hashed password.  Is there any way to log in
>>> a user to couchdb without using the clear password?

View raw message