Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5A0C5FBE9 for ; Wed, 20 Mar 2013 12:51:05 +0000 (UTC) Received: (qmail 98455 invoked by uid 500); 20 Mar 2013 12:51:04 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 98050 invoked by uid 500); 20 Mar 2013 12:51:03 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 98006 invoked by uid 99); 20 Mar 2013 12:51:01 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Mar 2013 12:51:01 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of bchesneau@gmail.com designates 209.85.216.171 as permitted sender) Received: from [209.85.216.171] (HELO mail-qc0-f171.google.com) (209.85.216.171) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Mar 2013 12:50:55 +0000 Received: by mail-qc0-f171.google.com with SMTP id q2so707352qch.2 for ; Wed, 20 Mar 2013 05:50:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=adojsniYsNaTOtxGJi0I7zHof0KXp+q0I5GEVOVPw7E=; b=jXzRBjKYX8p/jUQrAAHE3YZC8XiL/sJMwPdR4KCdHkoH+XuZ+8O43jP4D8vX6ym727 8haNioJx8TRVBgTreuZ2Z1bhstzmeD3phh51AKdJHM7IfvdW8cZsXwUgfyZEkB490+Ex zsVfwK3ri387Ynml+dHNFe6iFC9X31iGIvb/E1Qg+GXMA0+k4K44QsBTIg9V/enelC+e z8TKhSB/LUwtA+tsNNGpT/4X0j3kW8UR0akIH7Bu2tNDH9ww/0LTkF/gf+OcpiVXIVZP sqIvZeSW3jPBCCNftlb/Pr+G/ek8EArun462v91O52UGWgcDXkD3W+3bulcTeKWByFPM quZA== MIME-Version: 1.0 X-Received: by 10.49.38.8 with SMTP id c8mr1546215qek.3.1363783834852; Wed, 20 Mar 2013 05:50:34 -0700 (PDT) Received: by 10.49.64.232 with HTTP; Wed, 20 Mar 2013 05:50:34 -0700 (PDT) In-Reply-To: References: Date: Wed, 20 Mar 2013 05:50:34 -0700 Message-ID: Subject: Re: _session + vhost + rewrites From: Benoit Chesneau To: "user@couchdb.apache.org" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org On Wed, Mar 20, 2013 at 5:26 AM, Anthony Ananich wrote: > I think I've found an answer. It seems that while using vhost > /_session handler is available in the root of vhost independent on if > there are any rewrite rules or not. > > I was not able to find any documentation about that, so I'm not sure > if it is bug or feature :) It's a feature, see in the section [httpd] of default.ini: vhost_global_handlers =3D _utils, _uuids, _session, _oauth, _users - beno=EEt > > On Wed, Mar 20, 2013 at 3:18 PM, Robert Newson wrote= : >> Hm, not without a code change, I think. The secure rewrites setting is >> to prevent a rewrite jumping between databases. At first glance it >> does seem an overreach to block a rewrite to _session (and presumably >> anything else at the top level). >> >> B. >> >> On 20 March 2013 12:13, Anthony Ananich wrote: >>> Hi! >>> >>> I'm trying to make _session handler accessible via url like >>> http://mysite.com/_session while using rewrite rules. I get the >>> following error: >>> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"} >>> >>> I found that it could be fixed with adding this to an ini file: >>> [httpd] >>> secure_rewrites =3D false >>> >>> Is there a way to allow _session without disabling secure_rewrites? >>> >>> Thanks, >>> Anthony