|
Posted by Josip Dzolonga on 04/09/05 18:05
On саб, 2005-04-09 at 22:56 +0800, Jason Wong wrote:
> > Sorry, I don't agree. There are very few absolute rules in software
> > development.
>
> But in this case there really is no reason *why* you need to store a
> password (encrypted or otherwise).
IMO storing the password hash (md5,sha1, whatever:)) in a Cookie is not
smart. Some of the browsers (read IE) have some security holes so
getting the value of the cookie won't be a really hard job (this can be
dine with cross site scripting and DNS hacking too). When the attackers
have the hash of the password, in most of the cases they're brute
forcing , so if the user has an easy-to-guess password, it _can_ be
revelead (brute-forcing numbers, dictionary words). I don't get the
point, _why_ to store a password hash on the client-side as a cookie,
when you can do it on the server-side.
Josip Dzolonga,
http://josip.dotgeek.org
[Back to original message]
|