|
|
|
|
|
|
by samuelkadolph
4857 days ago
|
|
|
Not using attr_accessible is a lot different than not using reset_session after authenticating a log in. It's very easy to forget or not notice a model missing some whitelisting but to roll your own authentication code with zero security investment is just stupid and I would be extremely surprised if GitHub doesn't do it. |
|
|
if it's obvious for you — you are good at security. But it is NOT a common sense to use reset session