If we're into analogies, how about a cookie containing username/password being much the same as leaving the keys to the house under your doormat? If someone knows that this is a common practice, they can find them and gain access to your house.
As I understand it (and I am not a lawyer) the laws in the UK (esp. Data Protection Act 1998 and the Computer Misuse Act) would place the responsibility with the site provider if cookies or authorisation/authentication mechanisms enable unauthorised access to information directly or indirectly - rather than the end user. In the case of personal data, the provider would be deemed to have failed to take adequate steps to protect the data from unauthorised disclosure. In other cases, it would probably render a successful prosecution of hacking more difficult. Nick On Tuesday 21 Oct 2003 11:10 pm, Chris Shiflett wrote: > --- Marco Tabini <[EMAIL PROTECTED]> wrote: > > IMHO, by storing the user's name and password in a cookie, you may be > > exposing that information to unnecessary risks by letting it go back > > and forth continuously on the Net (assuming, of course, that you're > > not under SSL and/or are using some encryption mechanism) and possibly > > someone could argue that you did not take the necessary steps to protect > > the user's data in an efficient way. > > I agree completely with this. If you are exposing someone's access > credentials over the Internet for every single transaction (potentially > many times for every page), your neglect would probably outweigh the fact > that you didn't intentionally hand a third party any information. That's > just my perspective, of course. > > In the case of cookies in general, I don't think it's as clear as any of > the analogies used so far. The typical user probably doesn't realize you > are setting or reading cookies. And, since the developer understands this > while the user doesn't, it seems risky that the developer can know about > potential vulnerabilities without alerting the user. I always assumed those > legal disclaimers said stuff like, "You could die from using this site. > Your death is not our responsibility. Browse at your own risk." Well, maybe > not that extreme, but you get the idea. :-) > > Of course, if you don't store sensitive data in the cookies, there's not a > big concern anyway. > > I should mention that the law doesn't always agree with me, so it's never > safe to assume it does. I'm just saying what makes sense to me. :-) > > Chris > > ===== > My Blog > http://shiflett.org/ > HTTP Developer's Handbook > http://httphandbook.org/ > RAMP Training Courses > http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
