You are here: Re: [PHP] Storing password in cookie « PHP « IT news, forums, messages
Re: [PHP] Storing password in cookie

Posted by trlists on 04/09/05 21:51

On 9 Apr 2005 Ryan A wrote:

> This certainly has turned out to be an interesting discussion.....I
> usually send the info via sessions...how bad is that?

Well if you are using sessions it is worth thinking about session
security, for example:

http://shiflett.org/articles/the-truth-about-sessions
http://www.acros.si/papers/session_fixation.pdf

Beyond that -- what info are you sending?? Session data is stored on
the server, not at the client, so the security is as good as for
anything else on the server (assuming of course that session data is
outside the web document tree).

Personally there is little if any data that I would encrypt when saving
it as session data (maybe CC numbers, if I had to save them across
pages at all, or maybe passwords, but nothing else), because I think
that's a weak defense. If access to your session data means they have
gained access to the server then they can also find the code you use to
decrypt that session data, so it is just one more small obstacle, not a
true defense.

Another point is that this might require a different analysis on a
shared vs. dedicated server as a shared server may well be less secure
than a dedicated server, and a dedicated server you don't physically
control (e.g. colocated) may be less secure than one you do.

--
Tom

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация