Thanks Robert! > I don't understand your assertion that you can't control the requests you send from the browser. I thought this was simple to do with ajax? I mean, you're clearly able to add the basic Authorization header, so why aren't you able to not send the Cookie header?
It's specified this way: http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method The Authorization header is allowed to be set, Cookie isn't. I think the reason is that Cookies might have a httponly flag, which prevents JavaScript from accessing it (e.g. to prevent cookie stealing). -- Gregor Martynus On Wednesday, 23. May 2012 at 21:06, Robert Newson wrote: > That sounds ok as a workaround, but what you're doing, obviously, is > sending authentication details for two different users. You can't > depend on every couchdb server evaluating them in an order that lets > you get away with that. > > I don't understand your assertion that you can't control the requests > you send from the browser. I thought this was simple to do with ajax? > I mean, you're clearly able to add the basic Authorization header, so > why aren't you able to not send the Cookie header? > > B. > > On 23 May 2012 19:33, Gregor Martynus <[email protected] > (mailto:[email protected])> wrote: > > I might have found the answer to my question: > > > > There is a setting: httpd.authentication_handlers. By default it says: > > {couch_httpd_oauth, oauth_authentication_handler}, {couch_httpd_auth, > > cookie_authentication_handler}, {couch_httpd_auth, > > default_authentication_handler} > > > > putting cookie_authentication_handler at the and makes it work for me > > {couch_httpd_oauth, oauth_authentication_handler}, {couch_httpd_auth, > > default_authentication_handler}, {couch_httpd_auth, > > cookie_authentication_handler} > > > > Any downsides you can think of when I'm changing this setting? > > > > -- > > Gregor Martynus > > > > > > On Wednesday, 23. May 2012 at 19:27, Gregor Martynus wrote: > > > > > Hey couch folks, > > > > > > let's say there is a database "user2", which has Readers: ["user2"] in > > > its security settings. > > > > > > Now let's say user1 is logged in, with cookie authentication and he has > > > the password of user2. Is there any way he can make an authenticated > > > request as user2: `GET /user2/_all_docs` > > > > > > I tried it with the Authorization header, but that only works if I'm > > > signed out. Once I'm signed in as a user, the Authorization headers is > > > ignored. > > > > > > so Question is: when I'm logged in as user1 with cookies, can I send a > > > request as user2, when I know the password? > > > > > > -- > > > Gregor Martynus > > > > > > > > > >
