I would have expected a site like 4chan, the source of all sorts of script kiddie idiocy, would know better by this time than to stick a password, even hashed, in a cookie.
But sometimes you piss off the HN bees nest, and downvotes come streaming in. Reminds me of Reddit.
I think the original script it was based on didn't even have login per se. You just occasionally stuck in an admin password hard coded in the PHP to do a one time post delete or whatnot. It's mostly an anonymous forum after all. As more moderation functions grew a real login was needed and grafted on. Users still didn't have a login for a long time and instead had a special part of their username that was hashed when displayed to prove identity.
> But sometimes you piss off the HN bees nest, and downvotes come streaming in. Reminds me of Reddit.
No, just look at your comment. You quote the OP saying it was a boneheaded move to do X. Then you use feigned surprise ('cause really, who could be literally be so surprised that they type in half-words?) to express that it was a boneheaded move to do X.
Why bother to write that out, beyond "I thought this"? Why should anyone want to read it?
It's not you. HN creams their pants at the sight of moot.
If this was anyone else it wouldn't been something more along the lines of "this is why you should leave security to the experts" or "seriously, just spending an extra day reading about the best practices would've solved the whole thing"
I would have expected a site like 4chan, the source of all sorts of script kiddie idiocy, would know better by this time than to stick a password, even hashed, in a cookie.
But sometimes you piss off the HN bees nest, and downvotes come streaming in. Reminds me of Reddit.