realulim opened a new issue #844: Add new explicit authentication-tokens that can be revoked URL: https://github.com/apache/couchdb/issues/844 All token-based authentication schemes are vulnerable to CSRF (Cross Site Request Forgery) attacks. In the case of cookies there is an additional risk involved, because the browser sends the cookie automatically with every request. Thus if the user simply clicks on a malicious link during a CouchDB session, he will send the cookie to the attacker, who will then be able to take over the session. This is a built-in problem with Cookie-based authentication schemes, but CouchDB makes it worse by not providing a way to delete the stateless token upon logout of the user. That means that the attacker can indefinitely use the captured cookie just by sending a ping every 10 minutes - the token will never expire. I think this is a security issue and should be fixed. Anyone in possession of the stateless token should be able to delete it. ## Expected Behavior After calling the DELETE /_session endpoint the session should be invalidated on the server. ## Current Behavior The stateless token is not deleted (as per section 10.2.15 of the documentation). ## Possible Solution I have no suggestions, because I'm not sure what the problem is with deleting the stateless tokens. In case it has something to do with distribution, I would suggest that eventual consistency is good enough here. As well if it were possible to set the expiry date - a slightly more complicated way to get rid of the cookie, but it would suffice.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
