realulim commented on issue #844: Add new explicit authentication-tokens that can be revoked URL: https://github.com/apache/couchdb/issues/844#issuecomment-478534160 Sorry if everyone has understood and disregarded the security implications and I am beating a dead horse here. But I'm sure we all agree that in security matters it is better to make sure twice and thrice, so let me re-iterate the problem: The exploit is that a stateless token, once stolen, can be used indefinitely by the attacker. The point of using tokens (whether stateless or not) is that the sensitive password does not have to be transmitted with every request. If, however, tokens have the same longevity as passwords, then this purpose is defeated and you might as well make it easy on yourself and re-transmit the password every time. Please note that I am talking about interactive applications here. The user logs out of his application and expects that everything is nice and secure. He most certainly does not expect that stateless tokens flying around can still be used and even refreshed indefinitely. For non-interactive applications (such as SSO), it is understood and expected that a combination of short-lived access tokens and long-lived refresh tokens are employed. Again, there is no need to change existing APIs. As Jan said, there should be a way to invalidate tokens without changing the password, so that developers can employ this method in their application, when their users are "logging out".
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
