couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gregor Martynus <>
Subject Re: authentication: signed in as user1 (cookie), but sending request as user2?
Date Wed, 23 May 2012 18:33:05 GMT
I might have found the answer to my question:

There is a setting: httpd.authentication_handlers. By default it says:
{couch_httpd_oauth, oauth_authentication_handler}, {couch_httpd_auth, cookie_authentication_handler},
{couch_httpd_auth, default_authentication_handler}

putting cookie_authentication_handler at the and makes it work for me
{couch_httpd_oauth, oauth_authentication_handler}, {couch_httpd_auth, default_authentication_handler},
{couch_httpd_auth, cookie_authentication_handler}

Any downsides you can think of when I'm changing this setting? 

Gregor Martynus

On Wednesday, 23. May 2012 at 19:27, Gregor Martynus wrote:

> Hey couch folks, 
> let's say there is a database "user2", which has Readers: ["user2"] in its security settings.
> Now let's say user1 is logged in, with cookie authentication and he has the password
of user2. Is there any way he can make an authenticated request as user2: `GET /user2/_all_docs`
> I tried it with the Authorization header, but that only works if I'm signed out. Once
I'm signed in as a user, the Authorization headers is ignored.
> so Question is: when I'm logged in as user1 with cookies, can I send a request as user2,
when I know the password? 
> -- 
> Gregor Martynus

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message