Re: Storing password in cookie

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On ÑÐÐ, 2005-04-09 at 22:56 +0800, Jason Wong wrote:
> > Sorry, I don't agree.  There are very few absolute rules in software
> > development.
> 
> But in this case there really is no reason *why* you need to store a 
> password (encrypted or otherwise). 

IMO storing the password hash (md5,sha1, whatever:)) in a Cookie is not
smart. Some of the browsers (read IE) have some security holes so
getting the value of the cookie won't be a really hard job (this can be
dine with cross site scripting and DNS hacking too). When the attackers
have the hash of the password, in most of the cases they're brute
forcing , so if the user has an easy-to-guess password, it _can_ be
revelead (brute-forcing numbers, dictionary words). I don't get the
point, _why_ to store a password hash on the client-side as a cookie,
when you can do it on the server-side.

Josip Dzolonga,
http://josip.dotgeek.org

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux