On Saturday 09 April 2005 19:29, trlists@xxxxxxxxxx wrote: > On 9 Apr 2005 Andy Pieters wrote: > > It doesn't matter how you encrypt it. > > > > DO NOT STORE PASSWORDS ON USERS COMPUTER > > > > I hope that's clear enough. > > A couple of people have stated this but I think it is incorrect. For > one thing the users themselves are very likely to store the password > there, so why shouldn't you -- with permission of course? Because you should know better than the user! > Many sites will do this with a "remember my password and log me in > automatically" feature. It doesn't necessarily mean that it will literally store your password in a cookie, it could just be storing a token. With a token, your website could impose expiry dates on them or invalidate them (and possibly issue a new one) whenever the user performs a full password login etc. Thus if a bad person gets hold of your token it'll probably mean that they'll only have access to that account for a limited period of time (depending on what security measures your website employs). However if you had stored the actual password and some bad person got hold of it then there is no reasonable way for your website to distinguish the bad person using the password to gain access from the legitimate user. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * ------------------------------------------ Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general ------------------------------------------ New Year Resolution: Ignore top posted posts -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
