undefined | Better HN

0 pointsgruez5y ago0 comments

That sounds dangerous. By sending the full cookie you're allowing yourself to hijack any of your user's sessions. That's a big security risk. Is there a reason why you need to "validate" someone's login? If someone wants to get notified about my comments, so what? There's nothing secret about it, they can just go to https://news.ycombinator.com/threads?id=gruez and get a live feed.

0 comments

3 comments · 1 top-level

unamashana5y ago· 2 in thread

While the comments themselves are open, their state in your MagicBell inbox isn’t. If we didn’t have a way to validate identity, we won’t be able to make sure your notifications can’t be deleted/marked read by someone else.

usmannk5y ago

Why not drop a local cookie yourself for state?

unamashana5y ago

That doesn’t prevent someone from being able to impersonate you. The only alternative would be for HN to provide oauth access to your profile info.

3 more replies

j / k navigate · click thread line to collapse