On 9 Apr 2005 John Nichel wrote:
While it is not absolute that you can't store passwords in a cookie, it is an absolute that you _shouldn't_
Sorry, I don't agree. There are very few absolute rules in software development.
This isn't a rule. It's common sense. The less a password is sent thru cyberspace, the smaller the risk is to it being compromised. The fewer places it's stored, the smaller the risk.
For sites accessing sensitive information or that allow spending money, I would not store anything in a cookie that permitted a login.
However, for something like a web-based discussion board where I don't really care if a person who sits at my computer or a thief who robs my house gets access, I think it is not a big deal. I might, depending on the needs, store a hash code as others have suggested, or an encrypted version of the password, with user permission of course.
What's the difference? How many users out there do you think use the same password for the chat room as they do for their bank? Remember AOL has millions of users.
There is almost always a tradeoff between convenience and risk. Sometimes convenience is far more important. Often risk is.
True, but here, there's almost no trade off in convenience. The difference in amount of code to store a token in the cookie as compared to the password is almost non-existent.
-- By-Tor.com ...it's all about the Rush http://www.by-tor.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
