Hacker News new | past | comments | ask | show | jobs | submit login

As one of the project coders notes - "The normal token system revokes on password change"

Very bad security practice. Token revocation is hard, folks. If you aren't making that token expire every session then you're doing it wrong.

In fact, this was even discussed here on HN 1600+ days ago - http://homakov.blogspot.com/2012/07/saferweb-most-common-oau...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact