[Chugalug] Cookies for auth rant (almost just a link)

Mike Harrison cluon at geeklabs.com
Fri Mar 22 17:43:59 UTC 2013


http://it.slashdot.org/story/13/03/22/1414206/twitter-hotmail-linkedin-yahoo-open-to-hijacking

yet another case of people using cookies for auth.. and getting cause with 
their cookie crumbs being all it takes.

Mike's rules for auth:

Don't use things stored in user/browser space (like cookies).

verify the credentials for -everything-, every post.

Issuing a cookie, and then checking that there is a matching session for 
that cookie is NOT good practices.

Acid test:

If changing your credentials on a web system does not require you to 
re-authenticate with the new credentials... something is broken.






More information about the Chugalug mailing list