janl commented on issue #844: Add new explicit authentication-tokens that can be revoked URL: https://github.com/apache/couchdb/issues/844#issuecomment-478544921 @realulim I consider indefinite auto-renewal an API semantic, that if changed is a breaking change, so we can’t just add this. There is no disagreement that this is a security concern, but there are worst-case-scenario failsafes available already, and I think that’s why we’re not treating this as an urgent issue (i.e change the http session secret). You call this exploit and I’m sure you are using this terminology to install a sense of severity and urgency. I call this works as designed and fully acknowledge the design limitation. The way forward I outlined in my previous message, so let’s focus on agreeing what the precise semantics for a new _session endpoint should be, or decide that @rnewson’s patch does the trick.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
