Cookies for auth rant (almost just a link)

From: Mike Harrison 
------------------------------------------------------

http://it.slashdot.org/story/13/03/22/1414206/twitter-hotmail-linkedin-yahoo-open-to-hijacking

yet another case of people using cookies for auth.. and getting cause with 
their cookie crumbs being all it takes.

Mike's rules for auth:

Don't use things stored in user/browser space (like cookies).

verify the credentials for -everything-, every post.

Issuing a cookie, and then checking that there is a matching session for 
that cookie is NOT good practices.

Acid test:

If changing your credentials on a web system does not require you to 
re-authenticate with the new credentials... something is broken.





=============================================================== From: Stephen Kraus ------------------------------------------------------ Cookies are so delicious though.... Especially to Airline websites, who eat them like candy and base flight prices on your cookies.