Absolutely right!  I'm storing the password needlessly.  I've got the user
name and that's all I need for anything further.  Thanks!


> -----Original Message-----
> From: Analysis & Solutions [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 07, 2002 12:42 PM
> To: PHP List
> Subject: Re: [PHP] Access control question - follow-up question
> On Fri, Jun 07, 2002 at 11:32:48AM -0500, Jeff Field wrote:
> >
> > In regards to "Passing/testing the password on each page is
> unnecessary and
> > poses security risks.", I'm under the impression that when I
> create the user
> > and password variables, the variables are only available in the session
> > cookie on my own server, not in the cookie that is sent to the user to
> > maintain sessions.  The cookie sent to the user merely contains
> the session
> > ID.  Therefore, other than someone hijacking the session, I'm a little
> > unclear as to the security risk.  Have I got this right?
> A general rule:  if something doesn't need to be stored, don't store it.
> This saves time and space.
> In the instance of passwords, storing them needlessly keeps sensitive
> information around.  This poses a problem in the event your system gets
> compromised.  There are lots of ways that can happen, both known and yet
> to be discovered and yet to be created.  So, it's just safer not to do
> it.
> --Dan
> --
>                PHP classes that make web design easier
>         SQL Solution  |   Layout Solution   |  Form Solution
>     sqlsolution.info  | layoutsolution.info |  formsolution.info
>  T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
>  4015 7 Av #4AJ, Brooklyn NY     v: 718-854-0335     f: 718-854-0409
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to