Cookies for auth rant (almost just a link)

From: Mike Harrison 

yet another case of people using cookies for auth.. and getting cause with 
their cookie crumbs being all it takes.

Mike's rules for auth:

Don't use things stored in user/browser space (like cookies).

verify the credentials for -everything-, every post.

Issuing a cookie, and then checking that there is a matching session for 
that cookie is NOT good practices.

Acid test:

If changing your credentials on a web system does not require you to 
re-authenticate with the new credentials... something is broken.

=============================================================== From: Stephen Kraus ------------------------------------------------------ Cookies are so delicious though.... Especially to Airline websites, who eat them like candy and base flight prices on your cookies.