[LRUG] Authentication by cookie

Tom Stuart tom at experthuman.com
Mon Feb 7 04:33:37 PST 2011


On 7 Feb 2011, at 12:30, Andrew Stewart wrote:
> According to this blog post it's so the cookie is invalidated when the user changes their password.
>  http://m.onkey.org/signed-and-permanent-cookies-in-rails-3
> Again, though, I don't see why we would want to invalidate the cookie in this situation.

Because the user might be changing their password because it's been compromised, in which case they don't want any attacker who's already authenticated with the old password to be able to continue to log in as them.

Some people break this out into separate "change password" and "sign me out everywhere" features, but it's almost always easier and safer to just treat them as the same thing.

Cheers,
-Tom


More information about the Chat mailing list