On Mon, 28 Mar 2005 15:12:06 -0500, Thomas, Mark - BLS CTR <[EMAIL PROTECTED]> wrote: > > I would like to get some opinions on what is safter, > > hidden fields or cookies? > > You might be surprised to hear both are equally insecure. In either case, > you're sending data to a browser, and you're assuming the browser will send > it back to you unchanged. Yet either can be manipulated. > > The best thing to do is avoid sending important data to the browser > altogether. You can use a sessionID as the previous poster mentions, but be > sure you keep in mind that the SessionID can be manipulated so make sure you > build the proper controls in place to handle that. >
This is a VERY interesting thread- It all depends on your needs, but security is getting more and more of a legal issue so ... Most websites include both... cookies for the session handling and hidden fields for the login handshake. Use an SSL/TLS web page for login/signup. everything else is OK to use in cookies, IF there are no passwords "in the clear". That brings up the basic philosophy you should follow; don't leave "tracks" in your client-level HTML code that a bad person can follow to get into your website.... no decryption logic or HTML comments like "// decode base64 here" (I know it sounds dumb, but I admit; mea culpa). If this thread gets deeper, maybe we can all have a security discussion. kevindot _______________________________________________ Perl-Win32-Users mailing list Perl-Win32-Users@listserv.ActiveState.com To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
