A system one of my co-workers are load balancing and configuring AAA/SSO uses cookies for authentication. The username is inserted using a cookie, for example ”username=simon”. It’s very easy to first of all identify this cookie and modify it to another value, which makes it insecure. The idea we got was to stop exposing the cookie…