Michael Donnelly wrote:
>
> If you're worried about the session data being compromised or otherwise
> stolen, you could just hash it. MD5 the user's password at login and store
> the hash. Then when you need to re-prompt the user, hash the answer and
> compare. That way the password can't be ripped off if someone finds a way
> to get at that session data.
>
Sure it can, since most people still use dictionary words as a
password...
Anyway, storing an unhashed passowrd in the database is already a
security risk. Especially is you allow the "I'm realy dumb and forgot my
password and mail it to me" option on your site.
--
======================================================================================
Sven E. van 't Veer
http://www.cachoeiro.net
Java Developer [EMAIL PROTECTED]
======================================================================================
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
