Are you sure about that? I read that Rails 2.x uses http only cookies, so I guess that it is up to the user to make sure his browser is secure and complies to standards of security.
The issue about supplying the old password with the new one, is in the case where the identity was stolen. The account is cracked, but the password nor the email can be changed. Do you remember about the Gmail security hole, that enabled a hacker to create mail filters to redirect mail to his own account? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
