|
Posted by John Nichel on 04/09/05 22:47
trlists@clayst.com wrote:
> On 9 Apr 2005 John Nichel wrote:
>
>
>>While it is not absolute that you can't store passwords in a cookie, it
>>is an absolute that you _shouldn't_
>
>
> Sorry, I don't agree. There are very few absolute rules in software
> development.
This isn't a rule. It's common sense. The less a password is sent thru
cyberspace, the smaller the risk is to it being compromised. The fewer
places it's stored, the smaller the risk.
> For sites accessing sensitive information or that allow spending money,
> I would not store anything in a cookie that permitted a login.
>
> However, for something like a web-based discussion board where I don't
> really care if a person who sits at my computer or a thief who robs my
> house gets access, I think it is not a big deal. I might, depending on
> the needs, store a hash code as others have suggested, or an encrypted
> version of the password, with user permission of course.
What's the difference? How many users out there do you think use the
same password for the chat room as they do for their bank? Remember AOL
has millions of users.
> There is almost always a tradeoff between convenience and risk.
> Sometimes convenience is far more important. Often risk is.
True, but here, there's almost no trade off in convenience. The
difference in amount of code to store a token in the cookie as compared
to the password is almost non-existent.
--
By-Tor.com
....it's all about the Rush
http://www.by-tor.com
[Back to original message]
|