[Chugalug] Cookies for auth rant (almost just a link)

Mike Harrison cluon at geeklabs.com
Fri Mar 22 17:43:59 UTC 2013


yet another case of people using cookies for auth.. and getting cause with 
their cookie crumbs being all it takes.

Mike's rules for auth:

Don't use things stored in user/browser space (like cookies).

verify the credentials for -everything-, every post.

Issuing a cookie, and then checking that there is a matching session for 
that cookie is NOT good practices.

Acid test:

If changing your credentials on a web system does not require you to 
re-authenticate with the new credentials... something is broken.

More information about the Chugalug mailing list