I think it would not necessarily be a dangerous thing to do. The
question you need to ask yourself is whether or not this is the right
thing to do. It is much easier to be security conscience then to add a
weakness to the system from the word go. I personnally would never
pass around a password. The previous message about the encrypted
password in the cookie is your best bet.
And considering you work for a bank, I thank god I don't bank there.
Your customers expect the most secure site that you can give them.
Regardless, of how it performs after all its their financial
information.
----- Original Message -----
From: Lorena Carlo <[EMAIL PROTECTED]>
Date: Friday, October 20, 2000 1:18 pm
Subject: Re: How risky it is to store passwords in a session variable
> Hello all, Thanks for the answers, but you haven't really answer
> me if it is
> dangerous to do this or not. The reason why I want to do this is for
> validating a user after he has accessed the program, I want him to
> re-enter
> the password for some operations, and I don't want to access again the
> database, so I want to validate it with the session variable.
>
> Please answer me the question, and give alternatives if this is
> dangerous.
> Thanks in advance
>
> Lorena
> ----- Original Message -----
> From: T A Flores <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, October 20, 2000 3:01 PM
> Subject: Re: How risky it is to store passwords in a session variable
>
>
> > I am unclear as to why you want to store a password in session. Why
> > don't you just pass around some type of validated indication and not
> > the password. Such as login=true;
> >
> > ----- Original Message -----
> > From: Lorena Carlo <[EMAIL PROTECTED]>
> > Date: Friday, October 20, 2000 12:12 pm
> > Subject: How risky it is to store passwords in a session variable
> >
> > > Hello all,
> > >
> > > Can somebody tell me if there is a risk in declaring a session
> > > variable that
> > > contains passwords?.
> > >
> > > Thanks in advance
> > >
> > > Lorena
> > >
> > >
> >
>
========================================================================
> ===
> > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> > > JSP-INTEREST".
> > > Some relevant FAQs on JSP/Servlets can be found at:
> > >
> > > http://java.sun.com/products/jsp/faq.html
> > > http://www.esperanto.org.nz/jsp/jspfaq.html
> > > http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
> > > http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
> > >
> >
> >
>
========================================================================
===
> > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> JSP-INTEREST".
> > Some relevant FAQs on JSP/Servlets can be found at:
> >
> > http://java.sun.com/products/jsp/faq.html
> > http://www.esperanto.org.nz/jsp/jspfaq.html
> > http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
> > http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
>
>
========================================================================
===
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> JSP-INTEREST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.html
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
>
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
