DELETE _session doesn't delete the session. Client can still get user
information using GET _session and with the session cookie retrieved.
-------------------------------------------------------------------------------------------------------------------------------------------
Key: COUCHDB-1073
URL: https://issues.apache.org/jira/browse/COUCHDB-1073
Project: CouchDB
Issue Type: Improvement
Reporter: Johnny Weng Luu
When using DELETE _session CouchDB only sends a empty session cookie back.
But if I use the original session cookie when using GET _session I can still
get the user information.
https://gist.github.com/838996
This could be a security flaw because when the user leaves the computer a
hacker can check out the session cookie and log in to account.
Very bad if it's a very sensitive web application like financial.
Isn't it better to just delete the session internally in couchdb when DELETE
_session is used. Then that session cookie the hacker gets won't matter because
the session is already gone.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
