Not using attr_accessible is a lot different than not using reset_session after ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		samuelkadolph on March 9, 2013 \| parent \| context \| favorite \| on: Hacking Github with Webkit Not using attr_accessible is a lot different than not using reset_session after authenticating a log in. It's very easy to forget or not notice a model missing some whitelisting but to roll your own authentication code with zero security investment is just stupid and I would be extremely surprised if GitHub doesn't do it.

homakov on March 9, 2013 [–]

> different than not using reset_session after authenticating a log in

if it's obvious for you — you are good at security. But it is NOT a common sense to use reset session

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact