|
Posted by trlists on 04/09/05 16:33
On 9 Apr 2005 John Nichel wrote:
> While it is not absolute that you can't store passwords in a cookie, it
> is an absolute that you _shouldn't_
Sorry, I don't agree. There are very few absolute rules in software
development.
For sites accessing sensitive information or that allow spending money,
I would not store anything in a cookie that permitted a login.
However, for something like a web-based discussion board where I don't
really care if a person who sits at my computer or a thief who robs my
house gets access, I think it is not a big deal. I might, depending on
the needs, store a hash code as others have suggested, or an encrypted
version of the password, with user permission of course.
There is almost always a tradeoff between convenience and risk.
Sometimes convenience is far more important. Often risk is.
--
Tom
[Back to original message]
|