I think we check for the cookie first. Just don't send it when you 'send a request as user2'.
B. On 23 May 2012 18:27, Gregor Martynus <[email protected]> wrote: > Hey couch folks, > > let's say there is a database "user2", which has Readers: ["user2"] in its > security settings. > > Now let's say user1 is logged in, with cookie authentication and he has the > password of user2. Is there any way he can make an authenticated request as > user2: `GET /user2/_all_docs` > > I tried it with the Authorization header, but that only works if I'm signed > out. Once I'm signed in as a user, the Authorization headers is ignored. > > so Question is: when I'm logged in as user1 with cookies, can I send a > request as user2, when I know the password? > > -- > Gregor Martynus >
