Hi all, I came across a strange issue today with a few users in my app that still uses basic auth:
1. User signs up to app with username / password 2. App verifies against verify_credentials 3. On success, the returned <id> is stored. 4. User changes their screen_name, and that screen name is released to be used by others 5. User creates a new account, and uses the old username with same password 6. App continues to authenticate using username / password At thsi point, my app was processing the direct messages feed, and I performed a 'just in case' check on the recipient_id and the stored user_id. That's when some exceptions occurred, where the stored user_id did not match the recipient_id. So I'm wondering - how have people protected against this?
