Marco Tabini wrote:
Joseph Bannon wrote:
I think it's the responsibility of whomever is holding the key (ie, the username and password). When a user logs into my site, I put their username and password in a cookie. I then check those cookies to allow them access to membership only parts of the site. It is thus their responsibility to keep people from accessing the cookies on their machine. If I don't put the username and password on their machine and just use a session id, now the responsibility is in my hands.
What the hell kind of logic is that? So now it depends on what kind of data you put in the cookie for it to be your responsibility? You are definetly not a lawyer. :)
Neither am I mind you, but I think you should be held responsible for any data that's stored in a cookie. There should not be any sensitive data in cookies. Now, what's sensitive can be debated, but I'm sure it includes the username and password.
Tis why I would never store a password in a cookie. You might be able to talk me into storing the username, but never the password. The only thing I store in a cookie is a userid and a randomly generated number, and that's only if the site is to have a 'remember me' function so you don't have to login everytime. Even in these cases, I still make the user verify his/her password before changing the account. Everything else is in the session data.
Data in cookie = bad
IMHO, by storing the user's name and password in a cookie, you may be exposing that information to unnecessary risks by letting it go back and forth continuously on the Net (assuming, of course, that you're not under SSL and/or are using some encryption mechanism) and possibly someone could argue that you did not take the necessary steps to protect the user's data in an efficient way.
Second that. The method you're using now is horrible; there's no reason to ever store usernames and passwords in cookies. You're exposing this information for every request. At least if you're using a "session id" instead of the actually data, only that session can be hijacked, instead of the entire account.
You're not even allowed to use persistant cookies in public government sites unless you get permission from the Secretary of the Defense.
Damn Secretaries....always in my way. :)
-- By-Tor.com It's all about the Rush http://www.by-tor.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
