Chattanooga
Unix
Gnu
Android
Linux
Users
Group
Hot Topics:
Sponsoring:
Cookies for auth rant (almost just a link)
March-22, 2013 by: Mike Harrison
From: Mike Harrison ------------------------------------------------------ http://it.slashdot.org/story/13/03/22/1414206/twitter-hotmail-linkedin-yahoo-open-to-hijacking yet another case of people using cookies for auth.. and getting cause with their cookie crumbs being all it takes. Mike's rules for auth: Don't use things stored in user/browser space (like cookies). verify the credentials for -everything-, every post. Issuing a cookie, and then checking that there is a matching session for that cookie is NOT good practices. Acid test: If changing your credentials on a web system does not require you to re-authenticate with the new credentials... something is broken.=============================================================== From: Stephen Kraus ------------------------------------------------------ Cookies are so delicious though.... Especially to Airline websites, who eat them like candy and base flight prices on your cookies.