←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 1 comments | 27 May 21 10:28 UTC | HN request time: 0s | source
Show context
henvic ◴[27 May 21 15:07 UTC] No.27304014[source]
As a software engineer, I hate when I add a check for something "that will never happen" but that if happens is awful, and people complain.

A classic example: you need to get a user from a session, check against a database, and continue if they're signed in.

Then I add a simple if databaseUser.Username != form.Username and people will say "if that happens we've something worse wrong". Geez, something might be wrong and such double checking might provide to be useful.

On a smaller scale, bits flip due to cosmic rays and so on. Of course, there must be a limit where we stop, but people are used to actively avoid doing such "silly assertions" even for important steps.

¯\_(ツ)_/¯

replies(9): >>27304123 #>>27304382 #>>27304569 #>>27304654 #>>27304687 #>>27304894 #>>27308296 #>>27308719 #>>27309906 #
1. anticristi ◴[27 May 21 21:22 UTC] No.27308719[source]
Most people I met who do double checks would simply return "not loggen in" and issue a WARN deep within the other 200 WARNs-per-second. That is IMHO a very bad usage of double checks. It gives a false sense of security and masks the deeper problem until it's too late.

However, if you make the assertion fail loud, then it provides an additional security layer and should be used as often as makes sense.