--- "Chris W. Parker" <[EMAIL PROTECTED]> wrote:
> Store the username+password as an MD5 hash in a cookie, also store the
> user id. Then on the other servers you can read the user id and use that
> to pull out the username and password hash (you do hash your passwords
> within the database right?) from a database and then hash those two and
> compare the result with the cookies info.
I don't like this type of approach, because it is basically a way to use
cookies as an authentication mechanism, which is not their intended use.
Cookies are good for the identification of the client (the purpose of
their creation, state management), and sites like Google also use them to
allow preference-selection for anonymous users, which seems like another
good use.
When a cookie is used for authentication, the risk of impersonation is
greatly increased. Browsers such as IE allow anyone to read a cookie from
any domain (not intentionally, of course), so you should assume cookies to
be public information. Obscuring the data within is a good step, but as
common parlance warns, it does not eliminate the security risk.
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
