On Tue, Oct 21, 2003 at 04:48:13PM -0500, Joseph Bannon wrote: : : I think it's the responsibility of whomever is holding the key (ie, the : username and password). When a user logs into my site, I put their : username and password in a cookie. I then check those cookies to allow : them access to membership only parts of the site. It is thus their : responsibility to keep people from accessing the cookies on their : machine. If I don't put the username and password on their machine and : just use a session id, now the responsibility is in my hands.
Saying that the responsibilty to maintain the secrecy of such cookie data lies in the hands of whoever hold the cookie is not possible. Cookie data gets transferred in every HTTP request, and hops through several routers before it reaches its final destination. That's a lot of extra machines that you say is responsible for keeping your cookie data secret. That's silly, and it will never happen. The developer sets the cookie. And the responsibility lies with the developer (or with the developer's employer). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
