On ÑÐÐ, 2005-04-09 at 22:56 +0800, Jason Wong wrote: > > Sorry, I don't agree. There are very few absolute rules in software > > development. > > But in this case there really is no reason *why* you need to store a > password (encrypted or otherwise). IMO storing the password hash (md5,sha1, whatever:)) in a Cookie is not smart. Some of the browsers (read IE) have some security holes so getting the value of the cookie won't be a really hard job (this can be dine with cross site scripting and DNS hacking too). When the attackers have the hash of the password, in most of the cases they're brute forcing , so if the user has an easy-to-guess password, it _can_ be revelead (brute-forcing numbers, dictionary words). I don't get the point, _why_ to store a password hash on the client-side as a cookie, when you can do it on the server-side. Josip Dzolonga, http://josip.dotgeek.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
