I’ve read a lot of things about authentication in CouchDB, especially regarding the Cookie Authentication.
I’m still making some tests and all seems working well, for instance with this command :
curl -vX POST $HOST/_session -H ‘application/x-www-form-urlencoded’ -d ‘name=foo&password=bar’
I get a Cookie that I can use.
But my point is, anytime I see think kind of sample on the Web, the username and password are always sent in plain text.
I’m really new to security but what’s the interest of the Cookie Auth method if I first have to send my credentials in clear ?
Is there a way to send at least the password hashed ?
With something like that IDK :
curl -vX POST $HOST/_session -H ‘application/x-www-form-urlencoded’ -d ‘name=foo&hashed_password=hashed_bar’
Cheers
Arnaud
If you send your password hashed than all the attacker needs to know is your hashed password so it wouldn’t solve the problem of sending your password in cleartext – now you would have a problem of sending your hash in cleartext.
Also remember that even if that solved the problem you would still be sending your cookie in cleartext being vulnerable to session hijacking.
(There’s also the HTTP digest access authentication but not without its own problems – but CouchDB didn’t support it last time I checked anyway.)
What you should do is to always use HTTPS for any authenticated CouchDB access with any network involved, except maybe the 127.0.0.0 network.
(And yes, pretty much all of the examples on the web and in books show using basic or cookie authentication over HTTP which in my opinion is a disaster waiting to happen.)