On Sep 17, 5:37 am, Fernando Perez <[EMAIL PROTECTED]> wrote: > Are you sure about that? > > I read that Rails 2.x uses http only cookies, so I guess that it is up > to the user to make sure his browser is secure and complies to standards > of security. > > The issue about supplying the old password with the new one, is in the > case where the identity was stolen. The account is cracked, but the > password nor the email can be changed. > > Do you remember about the Gmail security hole, that enabled a hacker to > create mail filters to redirect mail to his own account? > -- > Posted viahttp://www.ruby-forum.com/.
I think the comment is just saying that authentication and authorization are two different beasts, i.e., the current user logged in is indeed that user (authentication) as opposed to the current user being allowed to change or update other users (authorization). It is always a good idea to ask for a user's old password whenever he(?) is try to change it. There will always be instances when a user can be just plain dumb - like forgetting to log off from a public workstation. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
