Students: if you ever do this, you are compelled to commit seppuku

Lesson one in security: deny by default, allow with care. It is entirely brain dead for your login logic to be “if the logged_in cookie is false, they’re not logged in, otherwise they are”, rather than “if the logged_in cookie is true, they’re logged in, otherwise they’re not”.

2006-04-01 19:15:04 ·

No comments yet — be the first!

Leave a reply

You can use HTML, but you don't have to. Formatting tips (for code, quotes, etc.) here.