Re: Storing password in cookie

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Saturday 09 April 2005 19:29, trlists@xxxxxxxxxx wrote:
> On 9 Apr 2005 Andy Pieters wrote:
> > It doesn't matter how you encrypt it.
> >
> > DO NOT STORE PASSWORDS ON USERS COMPUTER
> >
> > I hope that's clear enough.
>
> A couple of people have stated this but I think it is incorrect.  For
> one thing the users themselves are very likely to store the password
> there, so why shouldn't you -- with permission of course?

Because you should know better than the user! 

> Many sites will do this with a "remember my password and log me in
> automatically" feature.

It doesn't necessarily mean that it will literally store your password in 
a cookie, it could just be storing a token. With a token, your website 
could impose expiry dates on them or invalidate them (and possibly issue 
a new one) whenever the user performs a full password login etc. Thus if 
a bad person gets hold of your token it'll probably mean that they'll 
only have access to that account for a limited period of time (depending 
on what security measures your website employs). However if you had 
stored the actual password and some bad person got hold of it then there 
is no reasonable way for your website to distinguish the bad person using 
the password to gain access from the legitimate user.

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
New Year Resolution: Ignore top posted posts

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux