detroitenglish commented on issue #1562: Provide configuration option enforcing AuthSession cookies' "Secure" attribute in couch_httpd_auth URL: https://github.com/apache/couchdb/issues/1562#issuecomment-414049034 @wohali thanks as always for your insight: > ... how many programmatic clients would such a change break? ... most CouchDB access "in the field" is via language-native clients. Interesting! For clarity, you're implying that most programmatic clients rely on `/_session` cookies for authentication? [pouchdb-authentication](https://www.npmjs.com/package/pouchdb-authentication) as a purely front-end `/_session` interface, for example, averages ~750 installs per week. Is that indeed trivial compared to these programmatic clients? > If this would break the large majority of them (and I expect it would) ... That's why I propose this be **disabled by default** i.e. purely opt-in. Perhaps a broader discussion on bringing `/_session` cookies up to a modern spec would be more appropriate, first? [RFC 2109](https://tools.ietf.org/html/rfc2109.html) reached legal US drinking age this year! 🍻
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
