On Fri, Jun 07, 2002 at 11:32:48AM -0500, Jeff Field wrote:
> In regards to "Passing/testing the password on each page is unnecessary and
> poses security risks.", I'm under the impression that when I create the user
> and password variables, the variables are only available in the session
> cookie on my own server, not in the cookie that is sent to the user to
> maintain sessions.  The cookie sent to the user merely contains the session
> ID.  Therefore, other than someone hijacking the session, I'm a little
> unclear as to the security risk.  Have I got this right?

A general rule:  if something doesn't need to be stored, don't store it.
This saves time and space.

In the instance of passwords, storing them needlessly keeps sensitive
information around.  This poses a problem in the event your system gets
compromised.  There are lots of ways that can happen, both known and yet
to be discovered and yet to be created.  So, it's just safer not to do


               PHP classes that make web design easier
        SQL Solution  |   Layout Solution   |  Form Solution
    sqlsolution.info  | layoutsolution.info |  formsolution.info
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7 Av #4AJ, Brooklyn NY     v: 718-854-0335     f: 718-854-0409

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to