[Chugalug] Cookies for auth rant (almost just a link)
ub3ratl4sf00 at gmail.com
Fri Mar 22 17:57:11 UTC 2013
Cookies are so delicious though....
Especially to Airline websites, who eat them like candy and base flight
prices on your cookies.
On Fri, Mar 22, 2013 at 1:43 PM, Mike Harrison <cluon at geeklabs.com> wrote:
> yet another case of people using cookies for auth.. and getting cause with
> their cookie crumbs being all it takes.
> Mike's rules for auth:
> Don't use things stored in user/browser space (like cookies).
> verify the credentials for -everything-, every post.
> Issuing a cookie, and then checking that there is a matching session for
> that cookie is NOT good practices.
> Acid test:
> If changing your credentials on a web system does not require you to
> re-authenticate with the new credentials... something is broken.
> Chugalug mailing list
> Chugalug at chugalug.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Chugalug