Github user rnewson commented on the pull request:
https://github.com/apache/couchdb-couch/pull/80#issuecomment-126935884
I've revised this and removed the coupling with the session cookie.
A client that does not currently have a CouchDB-CSRF cookie can add
X-CouchDB-CSRF: true to their request and will receive one. They must then send
the cookie's value in the X-CouchDB-CSRF header for their request to succeed.
The CSRF token check occurs before authentication so you can acquire the
CSRF token immediately (perhaps when fetching the welcome message from /).
The token will expire from time to time (same duration as the session
cookie but without the automatic extension), so clients should do broadly this;
if (hasCookie("CouchDB-CSRF")) {
setRequestHeader("X-CouchDB-CSRF", cookieValue("CouchDB-CSRF");
} else {
setRequestHeader("X-CouchDB-CSRF", "true");
}
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
