[pifm_guy]

> Ones I've used, as long as you've configured a way to resolve the user, it pops right up in the service side of the chat system.

Be scared of those. They typically use client side JavaScript to read a cookie to know which username is active.

There is usually no verification of that info, so obviously it could be faked by a malicious client.

The docs say that, but it's way too easy to just trust the info rather than setup a properly secure solution.

[PaulHoule]

I could see that being really bad... A 'social engineer' could talk support people into helping them hijack an account.

[RulerOf]

I would love to watch the inevitable presentation we'll be seeing at some security convention within the next few years.

[eropple]

This is a good point. You can definitely verify a user off of context (signed tokens, etc.), but you're probably right that a lot of folks don't do a great job of that!