Joseph Bannon wrote:
I think it's the responsibility of whomever is holding the key (ie, the username and password). When a user logs into my site, I put their username and password in a cookie. I then check those cookies to allow them access to membership only parts of the site. It is thus their responsibility to keep people from accessing the cookies on their machine. If I don't put the username and password on their machine and just use a session id, now the responsibility is in my hands.
What the hell kind of logic is that? So now it depends on what kind of data you put in the cookie for it to be your responsibility? You are definetly not a lawyer. :)
Neither am I mind you, but I think you should be held responsible for any data that's stored in a cookie. There should not be any sensitive data in cookies. Now, what's sensitive can be debated, but I'm sure it includes the username and password.
IMHO, by storing the user's name and password in a cookie, you may be exposing that information to unnecessary risks by letting it go back and forth continuously on the Net (assuming, of course, that you're not under SSL and/or are using some encryption mechanism) and possibly someone could argue that you did not take the necessary steps to protect the user's data in an efficient way.
Second that. The method you're using now is horrible; there's no reason to ever store usernames and passwords in cookies. You're exposing this information for every request. At least if you're using a "session id" instead of the actually data, only that session can be hijacked, instead of the entire account.
You're not even allowed to use persistant cookies in public government sites unless you get permission from the Secretary of the Defense.
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
