Twitter Cookies mit dem Passwort gekoppelt

Kommentieren May 04 2010

 

Tja ich weis nicht was ich noch dazu sagen soll:

It is impossible to maintain a secure session with Twitter, for multiple reasons. Additionally, once a session has been
hijacked, it is possible for the attacker to maintain control over the account (not just the session) indefinitely,
unless the user changes their password. This is because the session cookie has the same lifetime as the password.


Impossible to Maintain Secure Session With Twitter.com Web Interface

This cookie works even after the user logs out using the http://twitter.com/logout action, and even after the user logs
back in again to start a new session. The only way to invalidate this cookie is to change the user’s password, which
results in a new, equally long-lived password_token value.



m(