[Chugalug] Cookies for auth rant (almost just a link)
cluon at geeklabs.com
Fri Mar 22 17:43:59 UTC 2013
yet another case of people using cookies for auth.. and getting cause with
their cookie crumbs being all it takes.
Mike's rules for auth:
Don't use things stored in user/browser space (like cookies).
verify the credentials for -everything-, every post.
Issuing a cookie, and then checking that there is a matching session for
that cookie is NOT good practices.
If changing your credentials on a web system does not require you to
re-authenticate with the new credentials... something is broken.
More information about the Chugalug