> This idea of storing passwords in cookies is absurd.
Is the above sentiment true even if you store the password as some sort of hash (md5 or otherwise)?
Yes, because passwords offer long-term access. If you accept a hash of the password for access, then that hash becomes as sensitive as the password. For example, this is why using client-side scripting to send the hash of a password in a login form offers no protection.
Most people who inquire about storing access credentials (username and password, password, hash of the password, etc.) in a cookie want to provide a persistent login. This is a form of access control that is temporarily removed by the presence of this cookie, which is difficult enough to protect without adding in unnecessary risks. Even a temporary token used in exactly the same manner offers less risk than anything based upon the password.
Hope that helps.
Chris
-- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
