Re: Storing password in cookie

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



trlists@xxxxxxxxxx wrote:
<snip>
A couple of people have stated this but I think it is incorrect. For one thing the users themselves are very likely to store the password there, so why shouldn't you -- with permission of course?

If the user wants to circumvent security measures by storing passwords, that's their option, but it's the programmer's obligation to keep his/her app as secure as possible.


Many sites will do this with a "remember my password and log me in automatically" feature. Web-based discussion boards, for example, do this routinely and the only security risk is that someone who got access to your computer might get access to your account on the board. As long as the discussion topics are not sensitive I suspect most people using private computers would judge this to be an acceptable risk. On the other hand I would never do it (or allow a site to do it) for a site where my email account could be accessed, or money could be charged. But others might feel their computer is secure enough that they are willing to take even those risks.

While 'remember me' is a popular option, it doesn't mean that the site is storing your password in a cookie. In applications I create, the password never 'leaves the database'. When the user submits their login, I'll check the password against what is in the db (after doing various encrypt methods on it), and that's as far as it goes. If the login is successful, and the user has a 'remember me' option, I'll create a unique hash based on a combination of things (like username, ip, time, random words, etc.), and store that hash in in a temporay table (as well as in the cookie). When the user comes back, I'll check that hash, and if successful I'll delete it, and generate a new one for next visit. And even this type of 'login' may not give the user full access to their account, as I may ask for the password again if they want to update some items.


Like many such questions, to me this is not something that should be subject to absolutes but to considered judgment, some on the part of the developer and some on the part of the user.

While it is not absolute that you can't store passwords in a cookie, it is an absolute that you _shouldn't_


--
By-Tor.com
...it's all about the Rush
http://www.by-tor.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux