Cookies are so delicious though....<br><br>Especially to Airline websites, who eat them like candy and base flight prices on your cookies.<br><br><div class="gmail_quote">On Fri, Mar 22, 2013 at 1:43 PM, Mike Harrison <span dir="ltr"><<a href="mailto:cluon@geeklabs.com" target="_blank">cluon@geeklabs.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<a href="http://it.slashdot.org/story/13/03/22/1414206/twitter-hotmail-linkedin-yahoo-open-to-hijacking" target="_blank">http://it.slashdot.org/story/<u></u>13/03/22/1414206/twitter-<u></u>hotmail-linkedin-yahoo-open-<u></u>to-hijacking</a><br>

<br>
yet another case of people using cookies for auth.. and getting cause with their cookie crumbs being all it takes.<br>
<br>
Mike's rules for auth:<br>
<br>
Don't use things stored in user/browser space (like cookies).<br>
<br>
verify the credentials for -everything-, every post.<br>
<br>
Issuing a cookie, and then checking that there is a matching session for that cookie is NOT good practices.<br>
<br>
Acid test:<br>
<br>
If changing your credentials on a web system does not require you to re-authenticate with the new credentials... something is broken.<br>
<br>
<br>
<br>
<br>
______________________________<u></u>_________________<br>
Chugalug mailing list<br>
<a href="mailto:Chugalug@chugalug.org" target="_blank">Chugalug@chugalug.org</a><br>
<a href="http://chugalug.org/cgi-bin/mailman/listinfo/chugalug" target="_blank">http://chugalug.org/cgi-bin/<u></u>mailman/listinfo/chugalug</a><br>
</blockquote></div><br>