[jira] [Commented] (COUCHDB-1073) DELETE _session doesn't delete the session. Client can still get user information using GET _session and with the session cookie retrieved.

Ian Bull (Commented) (JIRA) Thu, 02 Feb 2012 16:39:21 -0800

    [ 
https://issues.apache.org/jira/browse/COUCHDB-1073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13199417#comment-13199417
 ]


Ian Bull commented on COUCHDB-1073:
-----------------------------------

Hi everyone,

Maybe I'm mistaken, but isn't the UserCtx fetched from the /_sessions and used 
for things like AuthDocs?  Since the session is not actually deleted when the 
user logs out, you can easily "simulate" a user by sending a AuthSession=XXX in 
your HTTP header.  This would fetch the UserCtx from the /_sessions DB and use 
that for all DB actions (update documents, etc...).

If the DELETE _session actually removed this session, then one a user hits 
"logout" nobody could "simulate" their session.

Again, maybe I'm wrong / mistaken. I'm just getting into the details of this 
now.
                
> DELETE _session doesn't delete the session. Client can still get user 
> information using GET _session and with the session cookie retrieved.
> -------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1073
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1073
>             Project: CouchDB
>          Issue Type: Improvement
>            Reporter: Johnny Weng Luu
>
> When using DELETE _session CouchDB only sends a empty session cookie back.
> But if I use the original session cookie when using GET _session I can still 
> get the user information.
> https://gist.github.com/838996
> This could be a security flaw because when the user leaves the computer a 
> hacker can check out the session cookie and log in to account.
> Very bad if it's a very sensitive web application like financial.
> Isn't it better to just delete the session internally in couchdb when DELETE 
> _session is used. Then that session cookie the hacker gets won't matter 
> because the session is already gone.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (COUCHDB-1073) DELETE _session doesn't delete the session. Client can still get user information using GET _session and with the session cookie retrieved.

Reply via email to