Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BC97B9228 for ; Fri, 3 Feb 2012 00:39:20 +0000 (UTC) Received: (qmail 71392 invoked by uid 500); 3 Feb 2012 00:39:19 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 71195 invoked by uid 500); 3 Feb 2012 00:39:18 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 71113 invoked by uid 99); 3 Feb 2012 00:39:18 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Feb 2012 00:39:18 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Feb 2012 00:39:14 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id CCB6418487F for ; Fri, 3 Feb 2012 00:38:53 +0000 (UTC) Date: Fri, 3 Feb 2012 00:38:53 +0000 (UTC) From: "Ian Bull (Commented) (JIRA)" To: dev@couchdb.apache.org Message-ID: <1173505308.5890.1328229533840.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <922811602.8677.1298395358788.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Commented] (COUCHDB-1073) DELETE _session doesn't delete the session. Client can still get user information using GET _session and with the session cookie retrieved. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/COUCHDB-1073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13199417#comment-13199417 ] Ian Bull commented on COUCHDB-1073: ----------------------------------- Hi everyone, Maybe I'm mistaken, but isn't the UserCtx fetched from the /_sessions and used for things like AuthDocs? Since the session is not actually deleted when the user logs out, you can easily "simulate" a user by sending a AuthSession=XXX in your HTTP header. This would fetch the UserCtx from the /_sessions DB and use that for all DB actions (update documents, etc...). If the DELETE _session actually removed this session, then one a user hits "logout" nobody could "simulate" their session. Again, maybe I'm wrong / mistaken. I'm just getting into the details of this now. > DELETE _session doesn't delete the session. Client can still get user information using GET _session and with the session cookie retrieved. > ------------------------------------------------------------------------------------------------------------------------------------------- > > Key: COUCHDB-1073 > URL: https://issues.apache.org/jira/browse/COUCHDB-1073 > Project: CouchDB > Issue Type: Improvement > Reporter: Johnny Weng Luu > > When using DELETE _session CouchDB only sends a empty session cookie back. > But if I use the original session cookie when using GET _session I can still get the user information. > https://gist.github.com/838996 > This could be a security flaw because when the user leaves the computer a hacker can check out the session cookie and log in to account. > Very bad if it's a very sensitive web application like financial. > Isn't it better to just delete the session internally in couchdb when DELETE _session is used. Then that session cookie the hacker gets won't matter because the session is already gone. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira