[LRUG] Authentication by cookie

Andrew Stewart boss at airbladesoftware.com
Mon Feb 7 05:56:32 PST 2011


On 7 Feb 2011, at 12:33, Tom Stuart wrote:
> On 7 Feb 2011, at 12:30, Andrew Stewart wrote:
>> According to this blog post it's so the cookie is invalidated when the user changes their password.
>> http://m.onkey.org/signed-and-permanent-cookies-in-rails-3
>> Again, though, I don't see why we would want to invalidate the cookie in this situation.
> 
> Because the user might be changing their password because it's been compromised, in which case they don't want any attacker who's already authenticated with the old password to be able to continue to log in as them.

That makes sense.  Thanks!

Andy




More information about the Chat mailing list