Reply to Re: [PHP] Storing password in cookie

Your name:

Reply:


Posted by Josip Dzolonga on 04/09/05 18:05

On саб, 2005-04-09 at 22:56 +0800, Jason Wong wrote:
> > Sorry, I don't agree. There are very few absolute rules in software
> > development.
>
> But in this case there really is no reason *why* you need to store a
> password (encrypted or otherwise).

IMO storing the password hash (md5,sha1, whatever:)) in a Cookie is not
smart. Some of the browsers (read IE) have some security holes so
getting the value of the cookie won't be a really hard job (this can be
dine with cross site scripting and DNS hacking too). When the attackers
have the hash of the password, in most of the cases they're brute
forcing , so if the user has an easy-to-guess password, it _can_ be
revelead (brute-forcing numbers, dictionary words). I don't get the
point, _why_ to store a password hash on the client-side as a cookie,
when you can do it on the server-side.

Josip Dzolonga,
http://josip.dotgeek.org

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация