On 11 Apr 2005 Chris Shiflett wrote: > > > DO NOT STORE PASSWORDS ON USERS COMPUTER > > > > A couple of people have stated this but I think it is incorrect. > > Please refrain from such speculation, because it does nothing to improve > the state of security within our community. This idea of storing > passwords in cookies is absurd. Hmmm, sorry, it wasn't speculation but an opinion in response to what I thought had moved from a practical into a theoretical discussion. I agree, storing even an encrypted password in a cookie is a poor idea in most situations. But to me development is about selecting the right tool and using it the right way for the job at hand, and as a matter of principle I'm not convinced that a password stored in some form in a cookie can never, ever be the right tool for any job -- even if it's the wrong tool for many or most. As I said in other posts, there is a tendency here to declare certain practices as "the one and only way", but I think development is almost always more complex and more of a balancing act than that. If the discussion of that balance is beyond what the list is for and there is a need for a simple rule that everyone can follow then I certainly agree that "don't store passwords on the user's computer" is a far better rule and promotes better security practices than "it depends". But as I said I thought the discussion was more theoretical at that point, and that that was equally part of what's discussed here. -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
