Absolutely right! I'm storing the password needlessly. I've got the user
name and that's all I need for anything further. Thanks!
> -----Original Message-----
> From: Analysis & Solutions [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 07, 2002 12:42 PM
> To: PHP List
> Subject: Re: [PHP] Access control question - follow-up question
> On Fri, Jun 07, 2002 at 11:32:48AM -0500, Jeff Field wrote:
> > In regards to "Passing/testing the password on each page is
> unnecessary and
> > poses security risks.", I'm under the impression that when I
> create the user
> > and password variables, the variables are only available in the session
> > cookie on my own server, not in the cookie that is sent to the user to
> > maintain sessions. The cookie sent to the user merely contains
> the session
> > ID. Therefore, other than someone hijacking the session, I'm a little
> > unclear as to the security risk. Have I got this right?
> A general rule: if something doesn't need to be stored, don't store it.
> This saves time and space.
> In the instance of passwords, storing them needlessly keeps sensitive
> information around. This poses a problem in the event your system gets
> compromised. There are lots of ways that can happen, both known and yet
> to be discovered and yet to be created. So, it's just safer not to do
> PHP classes that make web design easier
> SQL Solution | Layout Solution | Form Solution
> sqlsolution.info | layoutsolution.info | formsolution.info
> T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
> 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php