Posted by Chris Shiflett on 04/11/05 19:32

Chris Boget wrote:
> > This idea of storing passwords in cookies is absurd.
>
>
> Is the above sentiment true even if you store the password as some sort
> of hash (md5 or otherwise)?

Yes, because passwords offer long-term access. If you accept a hash of
the password for access, then that hash becomes as sensitive as the
password. For example, this is why using client-side scripting to send
the hash of a password in a login form offers no protection.

Most people who inquire about storing access credentials (username and
password, password, hash of the password, etc.) in a cookie want to
provide a persistent login. This is a form of access control that is
temporarily removed by the presence of this cookie, which is difficult
enough to protect without adding in unnecessary risks. Even a temporary
token used in exactly the same manner offers less risk than anything
based upon the password.

Hope that helps.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

• Next in forum: Bulletproof POST remove
• Prev in forum: Re: [PHP] Storing password in cookie
• Thread view: Re: [PHP] Storing password in cookie

[Reply to this message]