[
https://issues.apache.org/jira/browse/COUCHDB-1073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510427#comment-13510427
]
Sam Stainsby commented on COUCHDB-1073:
---------------------------------------
I saw this behaviour today, and thought it might be a problem. But then I read
this:
http://appsandsecurity.blogspot.com.au/2011/04/rest-and-stateless-session-ids.html
which I guess is what's happening here.
> DELETE _session doesn't delete the session. Client can still get user
> information using GET _session and with the session cookie retrieved.
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: COUCHDB-1073
> URL: https://issues.apache.org/jira/browse/COUCHDB-1073
> Project: CouchDB
> Issue Type: Improvement
> Reporter: Johnny Weng Luu
>
> When using DELETE _session CouchDB only sends a empty session cookie back.
> But if I use the original session cookie when using GET _session I can still
> get the user information.
> https://gist.github.com/838996
> This could be a security flaw because when the user leaves the computer a
> hacker can check out the session cookie and log in to account.
> Very bad if it's a very sensitive web application like financial.
> Isn't it better to just delete the session internally in couchdb when DELETE
> _session is used. Then that session cookie the hacker gets won't matter
> because the session is already gone.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
