[Chugalug] Cookies for auth rant (almost just a link)

Stephen Kraus ub3ratl4sf00 at gmail.com
Fri Mar 22 17:57:11 UTC 2013


Cookies are so delicious though....

Especially to Airline websites, who eat them like candy and base flight
prices on your cookies.

On Fri, Mar 22, 2013 at 1:43 PM, Mike Harrison <cluon at geeklabs.com> wrote:

>
> http://it.slashdot.org/story/**13/03/22/1414206/twitter-**
> hotmail-linkedin-yahoo-open-**to-hijacking<http://it.slashdot.org/story/13/03/22/1414206/twitter-hotmail-linkedin-yahoo-open-to-hijacking>
>
> yet another case of people using cookies for auth.. and getting cause with
> their cookie crumbs being all it takes.
>
> Mike's rules for auth:
>
> Don't use things stored in user/browser space (like cookies).
>
> verify the credentials for -everything-, every post.
>
> Issuing a cookie, and then checking that there is a matching session for
> that cookie is NOT good practices.
>
> Acid test:
>
> If changing your credentials on a web system does not require you to
> re-authenticate with the new credentials... something is broken.
>
>
>
>
> ______________________________**_________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/**mailman/listinfo/chugalug<http://chugalug.org/cgi-bin/mailman/listinfo/chugalug>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130322/ae0c9306/attachment.html>


More information about the Chugalug mailing list