Hi all,

I came across a strange issue today with a few users in my app that
still uses basic auth:

1. User signs up to app with username / password
2. App verifies against verify_credentials
3. On success, the returned <id> is stored.

4. User changes their screen_name, and that screen name is released to
be used by others
5. User creates a new account, and uses the old username with same
6. App continues to authenticate using username / password

At thsi point, my app was processing the direct messages feed, and I
performed a 'just in case' check on the recipient_id and the stored
user_id. That's when some exceptions occurred, where the stored
user_id did not match the recipient_id.

So I'm wondering - how have people protected against this?

Reply via email to