Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

custom session handling? #184

Closed
gr2m opened this issue Dec 6, 2013 · 4 comments
Closed

custom session handling? #184

gr2m opened this issue Dec 6, 2013 · 4 comments

Comments

@gr2m
Copy link
Member

gr2m commented Dec 6, 2013

I have several issues with Hoodie using cookies for sessions at the moment. One being, that I cannot end the session if the user is offline, but there are valid use cases for that, see hoodiehq/hoodie#194

There are other reason, including security flaws, why I'd suggest to have that changed.

Instead of using cookies, I'd like to send a custom header with every request, something like X-Hoodie-Session-Id.

Does CouchDB support something like that? Or would that mean that we have to build our own session/auth handler?
@janl
Copy link
Member

janl commented Dec 6, 2013

On 06.12.2013, at 13:39, Gregor Martynus [email protected] wrote:

I have several issues with Hoodie using cookies for sessions at the moment. One being, that I cannot end the session if the user is offline, but there are valid use cases for that, see hoodiehq/hoodie#194

Can you not send a bogus cookie on the next connection?

There are other reason, including security flaws, why I'd suggest to have that changed.

That would imply that CouchDB sessions have security flaws which I don't think they do :) what issues are you referring to? (Please reply in private to this in order to ensure responsible disclosure.)

Instead of using cookies, I'd like to send a custom header with every request, something like X-Hoodie-Session-Id.

Does CouchDB support something like that? Or would that mean that we have to build our own session/auth handler?

There is the proxy handler that we might be able to hijack, but not sure at the moment.


Reply to this email directly or view it on GitHub.

@gr2m
Copy link
Member Author

gr2m commented Dec 6, 2013

Can you not send a bogus cookie on the next connection?

The Cookie header is http only, and cannot be accessed / overwritten from JS code, for security reasons.

That would imply that CouchDB sessions have security flaws which I don't think they do :) what issues are you referring to? (Please reply in private to this in order to ensure responsible disclosure.)

done.

@svnlto
Copy link
Member

svnlto commented Jan 7, 2015

I believe we have already implemented a solution for this?

@gr2m
Copy link
Member Author

gr2m commented Jan 7, 2015

yes, we have bearer token now, we don't use Cookies anymore. So closing this.

@gr2m gr2m closed this as completed Jan 7, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@janl @gr2m @svnlto