couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gregor Martynus <gre...@martynus.net>
Subject Re: authentication: signed in as user1 (cookie), but sending request as user2?
Date Wed, 23 May 2012 19:11:18 GMT
Thanks Robert!

> I don't understand your assertion that you can't control the requests
you send from the browser. I thought this was simple to do with ajax?
I mean, you're clearly able to add the basic Authorization header, so
why aren't you able to not send the Cookie header?

It's specified this way:
http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method

The Authorization header is allowed to be set, Cookie isn't. I think the reason is that Cookies
might have a httponly flag, which prevents JavaScript from accessing it (e.g. to prevent cookie
stealing).  

-- 
Gregor Martynus


On Wednesday, 23. May 2012 at 21:06, Robert Newson wrote:

> That sounds ok as a workaround, but what you're doing, obviously, is
> sending authentication details for two different users. You can't
> depend on every couchdb server evaluating them in an order that lets
> you get away with that.
> 
> I don't understand your assertion that you can't control the requests
> you send from the browser. I thought this was simple to do with ajax?
> I mean, you're clearly able to add the basic Authorization header, so
> why aren't you able to not send the Cookie header?
> 
> B.
> 
> On 23 May 2012 19:33, Gregor Martynus <gregor@martynus.net (mailto:gregor@martynus.net)>
wrote:
> > I might have found the answer to my question:
> > 
> > There is a setting: httpd.authentication_handlers. By default it says:
> > {couch_httpd_oauth, oauth_authentication_handler}, {couch_httpd_auth, cookie_authentication_handler},
{couch_httpd_auth, default_authentication_handler}
> > 
> > putting cookie_authentication_handler at the and makes it work for me
> > {couch_httpd_oauth, oauth_authentication_handler}, {couch_httpd_auth, default_authentication_handler},
{couch_httpd_auth, cookie_authentication_handler}
> > 
> > Any downsides you can think of when I'm changing this setting?
> > 
> > --
> > Gregor Martynus
> > 
> > 
> > On Wednesday, 23. May 2012 at 19:27, Gregor Martynus wrote:
> > 
> > > Hey couch folks,
> > > 
> > > let's say there is a database "user2", which has Readers: ["user2"] in its
security settings.
> > > 
> > > Now let's say user1 is logged in, with cookie authentication and he has the
password of user2. Is there any way he can make an authenticated request as user2: `GET /user2/_all_docs`
> > > 
> > > I tried it with the Authorization header, but that only works if I'm signed
out. Once I'm signed in as a user, the Authorization headers is ignored.
> > > 
> > > so Question is: when I'm logged in as user1 with cookies, can I send a request
as user2, when I know the password?
> > > 
> > > --
> > > Gregor Martynus
> > > 
> > 
> > 
> 
> 
> 



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message