Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A2B54FDD5 for ; Wed, 20 Mar 2013 12:27:22 +0000 (UTC) Received: (qmail 98040 invoked by uid 500); 20 Mar 2013 12:27:21 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 97929 invoked by uid 500); 20 Mar 2013 12:27:20 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 97900 invoked by uid 99); 20 Mar 2013 12:27:19 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Mar 2013 12:27:19 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [209.85.220.180] (HELO mail-vc0-f180.google.com) (209.85.220.180) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Mar 2013 12:27:15 +0000 Received: by mail-vc0-f180.google.com with SMTP id m17so1222916vca.25 for ; Wed, 20 Mar 2013 05:26:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:x-originating-ip:in-reply-to:references :from:date:message-id:subject:to:content-type:x-gm-message-state; bh=OtTQ8DJecpfrgJzAMRh1YEg1bBKZJS8c7ihqPrWUbgM=; b=aRiFSinisEky0hiAXs7rZss9aTVyiTRD6MpBl/pu2tqqEAGsjuNp8f3XUN+ccCXS26 dGRz/pvvZ+oQ6jtJbMvLFm0n6LVHuwbQSbNHStCIzo1ZdBQC8a3pbCRZd5GRefP65hKy Nbo99uKAbBohleR24RII/35egTehc1PwjLvL+OnBLp6FKoT6EwPARdAHIfjre8QwD35d K9YZsmPDzEk8hW9X+Gy0Mj9+c4x2fIxJgX6C0xRG1KK8EEPr5BSU4FPb1YmdRHupk8jv cx9FHCLr+n9yEW2SXt0KH8rvfy+yp8R4MuP0Y9Ob6Y09C+g+ghxOupdl+Tz+y3XG+QEb s2gg== X-Received: by 10.52.100.163 with SMTP id ez3mr6377733vdb.6.1363782414116; Wed, 20 Mar 2013 05:26:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.58.154.38 with HTTP; Wed, 20 Mar 2013 05:26:24 -0700 (PDT) X-Originating-IP: [80.94.224.18] In-Reply-To: References: From: Anthony Ananich Date: Wed, 20 Mar 2013 15:26:24 +0300 Message-ID: Subject: Re: _session + vhost + rewrites To: user@couchdb.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQmx+QfkTAgE7Duf7teI1ZE9BkrpCjNcnXuZXJKeroWYvDIdSvgt11bBH2JcwDVzwAL6OZ+g X-Virus-Checked: Checked by ClamAV on apache.org I think I've found an answer. It seems that while using vhost /_session handler is available in the root of vhost independent on if there are any rewrite rules or not. I was not able to find any documentation about that, so I'm not sure if it is bug or feature :) On Wed, Mar 20, 2013 at 3:18 PM, Robert Newson wrote: > Hm, not without a code change, I think. The secure rewrites setting is > to prevent a rewrite jumping between databases. At first glance it > does seem an overreach to block a rewrite to _session (and presumably > anything else at the top level). > > B. > > On 20 March 2013 12:13, Anthony Ananich wrote: >> Hi! >> >> I'm trying to make _session handler accessible via url like >> http://mysite.com/_session while using rewrite rules. I get the >> following error: >> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"} >> >> I found that it could be fixed with adding this to an ini file: >> [httpd] >> secure_rewrites = false >> >> Is there a way to allow _session without disabling secure_rewrites? >> >> Thanks, >> Anthony