Home/ Questions/Q 185317
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T15:26:55+00:00

I’m a full time software developer, but on the side I’m teaching a university

  • 0

I’m a full time software developer, but on the side I’m teaching a university course on web services. I’m going over security right now and was wondering if any of you all have had any security breaches that you could tell about (details obscured as needed) that I could share with my students. Real life stories are a lot more meaningful than made up scenarios…

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Here is a story from me:

    I once was customer of an online audiobook store. Beside authenticating myself with username and password, I also needed my browser to accept cookies. This wasn’t unusual. The cookie is probably needed for storing the session ID.

    But I got confused since the session ID was also transmitted in the URL and I didn’t saw a reason for why there was a need for cookies. So I took a look into my cookie jar to see what oh so important information have to be stored in cookies.

    Beside a cookie for the session ID there was another cookie named customer_id that obviously was designated to identify me by my customer number. I thought: “Come on, no one can be this stupid!” I altered the value for fun by changing one digit of the number (e.g. from 12345 to 12346) to see what happens.

    Now guess what: I now was logged in as a different user without any further request for authentication just by changing the cookie! The customer_id cookie value was abviously not just for identification (Who am I?) but also for authentication (Am I really the one who I pretend to be?)!

    The moral of this story: Always separate identification from authentication.

    • 0