> > In case of login/password required sites, I use the login and
> password as
> > cookie values and have _no_ expiredate set. Every time a request is made
> > _both_ cookie values (login and password) are checked with that on the
> > server.
>
> I would hope that you are not storing and matching the user's plaintext
> password...
>
Well .. I am ... nobody but the user itself can see the login and password
in the cookie. Unless it's on non-SSL connection and somebody is
packet-shiffing around. Otherwise there would be no leak for somebody else
to get this information, is there?
And if the user doesn't logout, the cookie is still destroyed when the
browser is closed anyway.
Eelco.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
