Github user rnewson commented on the pull request:
https://github.com/apache/couchdb-couch/pull/80#issuecomment-126772194
if we now understand the general mechanism, my remaining questions are;
1) unless the admin sets allow_persistent_cookies the x-couchdb-csrf cookie
is only lost when the browser is restarted or cookies are manually cleared
2) if allow_persistent_cookies is true, the x-couchdb-csrf cookie will
expire. the auth session cookie will expire at the same time, unless it's been
renewed (which happens automatically), so this would seem to lock the user out
eventually.
The core parts are sound, I think. The generation of the csrf cookie and
the way we validate that the cookie and header match and are valid. What's not
quite right is the way you get the csrf cookie in the first place.
Thoughts?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
