Twitter Cookies mit dem Passwort gekoppelt

Kommentieren May 04 2010 .txt, .json, .md

Tja ich weiß nicht was ich noch dazu sagen soll:

It is impossible to maintain a secure session with Twitter, for multiple reasons. Additionally, once a session has been hijacked, it is possible for the attacker to maintain control over the account (not just the session) indefinitely, unless the user changes their password. This is because the session cookie has the same lifetime as the password.

Impossible to Maintain Secure Session With Web Interface

This cookie works even after the user logs out using the action, and even after the user logs back in again to start a new session. The only way to invalidate this cookie is to change the user’s password, which results in a new, equally long-lived password_token value.