On 9 Apr 2005 John Nichel wrote: > While it is not absolute that you can't store passwords in a cookie, it > is an absolute that you _shouldn't_ Sorry, I don't agree. There are very few absolute rules in software development. For sites accessing sensitive information or that allow spending money, I would not store anything in a cookie that permitted a login. However, for something like a web-based discussion board where I don't really care if a person who sits at my computer or a thief who robs my house gets access, I think it is not a big deal. I might, depending on the needs, store a hash code as others have suggested, or an encrypted version of the password, with user permission of course. There is almost always a tradeoff between convenience and risk. Sometimes convenience is far more important. Often risk is. -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
