T A Flores wrote:
>
> I think it would not necessarily be a dangerous thing to do. The
> question you need to ask yourself is whether or not this is the right
> thing to do. It is much easier to be security conscience then to add a
> weakness to the system from the word go. I personnally would never
> pass around a password. The previous message about the encrypted
> password in the cookie is your best bet.
I don't think so. Cookies get passed back and forth from server to
browser and can be sniffed easilly. Cookies are good for simple sites (I
don't really mind if someone rips my java-developer-connection
password), but when you're talking a secure web site like a bank or some
other financial institution, you really would not want to pass the
passwords around in cookies. The good thing about session variables is
that they stay withing the VM and are not easilly visible. The problem
arises when they are serialized.
Anyway the safest solution would be a quick connection to the database
to retrieve the (hashed) password.
sven
--
======================================================================================
Sven E. van 't Veer
http://www.cachoeiro.net
Java Developer [EMAIL PROTECTED]
======================================================================================
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
