I think it's the responsibility of whomever is holding the key (ie, the username and password). When a user logs into my site, I put their username and password in a cookie. I then check those cookies to allow them access to membership only parts of the site. It is thus their responsibility to keep people from accessing the cookies on their machine. If I don't put the username and password on their machine and just use a session id, now the responsibility is in my hands.
J.
The responsibility is in your hands as far as the consequence of your actions are concerned. If *your* server gets hacked into and someone steals all the usernames and passwords, you're in trouble because you let that happen.
If your customer discloses his or her information to a third party, either voluntarily or by mistake, the responsibility is theirs, unless you accept in your agreement with them to take responsibility for their mistakes (which, incidentally, is essentially what you do when you open a credit card merchant account).
IMHO, by storing the user's name and password in a cookie, you may be exposing that information to unnecessary risks by letting it go back and forth continuously on the Net (assuming, of course, that you're not under SSL and/or are using some encryption mechanism) and possibly someone could argue that you did not take the necessary steps to protect the user's data in an efficient way.
But, then again, I'm not a lawyer, so take what I'm saying with a HUGE grain of salt :-)
Cheers,
Marco
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
