undefined | Better HN

0 pointsbasch3y ago0 comments

saved in the browser

0 comments

Yeah, I realize it was just a continued session, but that's exactly what I mean. For things like password changes or privilege changes, there should always be a mandatory re-auth to make sure it's not someone else at keys.

This is pretty much just best practice. When's the last time you could change your password without entering the original, short of a re-verification via email? Same idea here.

baschOP3y ago

>a mandatory re-auth

which, if the persons password is saved in their browser, would pass through to the website, granting a re-auth.

geoelectric3y ago

Oh, I misunderstood what you meant as the session token still being active.

I got you now. I've been using 3rd party password managers (with a timeout for a forced reauth) long enough that I forgot when you let the browser do it it's not nearly so locked down.

j / k navigate · click thread line to collapse

0 comments

geoelectric3y ago

This is pretty much just best practice. When's the last time you could change your password without entering the original, short of a re-verification via email? Same idea here.

baschOP3y ago

>a mandatory re-auth

which, if the persons password is saved in their browser, would pass through to the website, granting a re-auth.

geoelectric3y ago

Oh, I misunderstood what you meant as the session token still being active.

I got you now. I've been using 3rd party password managers (with a timeout for a forced reauth) long enough that I forgot when you let the browser do it it's not nearly so locked down.

j / k navigate · click thread line to collapse