[
https://issues.apache.org/jira/browse/COUCHDB-1066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12994107#comment-12994107
]
Robert Newson commented on COUCHDB-1066:
----------------------------------------
I have a local fix that breaks Futon due, I think, to a recent change that
translates 401's to 302's. This causes Futon's call to /_active_tasks, to make
a modal dialog box of HTML instead of the usual popup about needing admin
access.
This commit, once reverted, gives proper 401's;
03ede5b036c48d0a212fac033cd90e5b041913ad
> cookie_authentication_handler does not throw if cookie is invalid or has
> expired
> --------------------------------------------------------------------------------
>
> Key: COUCHDB-1066
> URL: https://issues.apache.org/jira/browse/COUCHDB-1066
> Project: CouchDB
> Issue Type: Bug
> Affects Versions: 0.11.2, 1.0.2, 1.1
> Reporter: Robert Newson
> Assignee: Robert Newson
> Priority: Critical
>
> cookie_authentication_handler does not throw if the cookie is invalid or has
> expired, instead it delegates to the next handler.
> This leads to ugly results like getting a response from /_session but with no
> userCtx filled in.
> cookie_authentication_handler should throw if, and only if, there's an
> AuthSession cookie that is expired or invalid. We shouldn't attempt to try
> other auth schemes. If there is no such cookie, then we delegate.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
