Re: Storing password in cookie

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Chris Boget wrote:
> This idea of storing passwords in cookies is absurd.


Is the above sentiment true even if you store the password as some sort of hash (md5 or otherwise)?

Yes, because passwords offer long-term access. If you accept a hash of the password for access, then that hash becomes as sensitive as the password. For example, this is why using client-side scripting to send the hash of a password in a login form offers no protection.


Most people who inquire about storing access credentials (username and password, password, hash of the password, etc.) in a cookie want to provide a persistent login. This is a form of access control that is temporarily removed by the presence of this cookie, which is difficult enough to protect without adding in unnecessary risks. Even a temporary token used in exactly the same manner offers less risk than anything based upon the password.

Hope that helps.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux