Adrian Aichner created COUCHDB-2801:
---------------------------------------
Summary: Cannot login to fauxton with WWW-Authenticate NoBasic
Key: COUCHDB-2801
URL: https://issues.apache.org/jira/browse/COUCHDB-2801
Project: CouchDB
Issue Type: Bug
Security Level: public (Regular issues)
Components: Fauxton
Reporter: Adrian Aichner
The default header setting
WWW-Authenticate Basic realm="Welcome to the Couch!"
causes failing apps logins via
POST _session
to go interactive, prompting for username and password (e.g. when providing
wrong password or username).
Should user follow the request, that Authorization header persists for the
whole Firefox session from what I have seen.
I can easily avoid the prompt by using a httpd config entry
WWW-Authenticate NoBasic realm="Welcome to the Couch!"
The app can either login sucessfully or gets a 401, while no prompts showing
up, ideal.
When app logs out again with
DELETE _session
using the current Cookie value no couchdb access (e.g. syncing) is possible
until the next
POST _session
is done, again getting 401 without prompting.
This setup, however defeats login to fauxton.
Setting
require_valid_user=false
is out of the question because of its initial openness of all databases until
more security is added.
How about making login to fauxton possible by access to some endpoint URL to do
a forms-based
POST _session
authentication at?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
