0
@@ -52,16 +52,9 @@ h3. authenticated_system
0
 * added uniform logout! methods
0
 * format.any (as found in access_denied) doesn't work until
0
   http://dev.rubyonrails.org/changeset/8987 lands.
0
-* cookies are now refreshed each time we cross the logged out/in barrier
0
-  http://www.owasp.org/index.php/Session_Management#Regeneration_of_Session_Tokens
0
-  http://palisade.plynt.com/issues/2004Jul/safe-auth-practices/
0
-  
0
-* !!!! Possibly stupid !!!
0
-  Made current_user and logged_in? be public methods.  I did this for the worst
0
-  possible reason -- so that I could write story steps that call it directly.
0
-  However, they're already globally public methods in principle through their
0
-  exposure as helper methods.  But if there's a less kludgy fix please educate
0
-  me.
0
+* cookies are now refreshed each time we cross the logged out/in barrier, as 
0
+  "best":http://palisade.plynt.com/issues/2004Jul/safe-auth-practices/
0
+  "practice":http://www.owasp.org/index.php/Session_Management#Regeneration_of_Session_Tokens
0
 
0
 h3. Other
0
 

0
@@ -52,12 +52,14 @@ authentication code. The flexible code for resource testing in stories was
0
 extended from "Ben Mabey's.":http://www.benmabey.com/2008/02/04/rspec-plain-text-stories-webrat-chunky-bacon/
0
 
0
 h3. Modularize to match security design patterns:
0
+
0
 * Authentication (currently: password, browser cookie token, HTTP basic)
0
 * Trust metric (email validation) 
0
 * Authorization (stateful roles)
0
 * Leave a flexible framework that will play nicely with other access control / policy definition / trust metric plugins
0
 
0
 h3. Other
0
+
0
 * Added a few helper methods for linking to user pages
0
 * Uniform handling of logout, remember_token
0
 * Stricter email, login field validation