--- Marco Tabini <[EMAIL PROTECTED]> wrote:
> IMHO, by storing the user's name and password in a cookie, you may be
> exposing that information to unnecessary risks by letting it go back
> and forth continuously on the Net (assuming, of course, that you're
> not under SSL and/or are using some encryption mechanism) and possibly
> someone could argue that you did not take the necessary steps to protect
> the user's data in an efficient way.
I agree completely with this. If you are exposing someone's access credentials
over the Internet for every single transaction (potentially many times for
every page), your neglect would probably outweigh the fact that you didn't
intentionally hand a third party any information. That's just my perspective,
of course.
In the case of cookies in general, I don't think it's as clear as any of the
analogies used so far. The typical user probably doesn't realize you are
setting or reading cookies. And, since the developer understands this while the
user doesn't, it seems risky that the developer can know about potential
vulnerabilities without alerting the user. I always assumed those legal
disclaimers said stuff like, "You could die from using this site. Your death is
not our responsibility. Browse at your own risk." Well, maybe not that extreme,
but you get the idea. :-)
Of course, if you don't store sensitive data in the cookies, there's not a big
concern anyway.
I should mention that the law doesn't always agree with me, so it's never safe
to assume it does. I'm just saying what makes sense to me. :-)
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
