|
Posted by Jason Wong on 04/09/05 17:56
On Saturday 09 April 2005 21:33, trlists@clayst.com wrote:
> On 9 Apr 2005 John Nichel wrote:
> > While it is not absolute that you can't store passwords in a cookie,
> > it is an absolute that you _shouldn't_
>
> Sorry, I don't agree. There are very few absolute rules in software
> development.
But in this case there really is no reason *why* you need to store a
password (encrypted or otherwise).
> I might, depending on
> the needs, store a hash code as others have suggested
Why not in *all* cases?
> Sometimes convenience is far more important. Often risk is.
I can't see where the convenience lies. For you as a developer, you've
already got the necessary code to do the token thing so there is
practically no difference whether you use a token or a password. For the
user, what are they going to do with an encrypted password -- are you
going to tell them how to decrypt in the case that they have forgotten
the password?
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
New Year Resolution: Ignore top posted posts
[Back to original message]
|