--- John Kaspar <[EMAIL PROTECTED]> wrote: > I'm just storing its hash. Then comparing it to the database hash. > Is that bad?
Yes, but the risk is not so much that the user's password is in danger of being acquired, but rather than this step is not necessary to impersonate the user. This hash of the password is an authentication credential, and you're using it for identification. This is not necessary. > Is there a good write-up somewhere discussing authentication > techniques that you could recommend? Again, I think the important point here is to distinguish between authentication and identification. You only have to authenticate a user once. After that, your focus is on identifying the user. Identification is not trivial, since you want to protect against impersonation (session hijacking), but passing authentication credentials around on the Internet more than necessary is not a good idea. As for a description somewhere, I just put up a page describing cookies: http://shiflett.org/books/http-developers-handbook/chapters/11 The figures aren't up yet, but I think they're unecessary for your particular question. > Yahoo makes you reenter your password every time you reopen your > browser. Right. Yahoo! remembers you, not your authentication information. It enforces a session timeout of some sort (user configurable in many cases, up to a certain maximum length) for the session itself, but the cookie with your username lasts a very long time. When your session expires, you only have to enter your password. Still, because a username can be considered half of the authentication credentials (even though it's the easiest to guess), users are only given this as an option. Hope that helps. Chris ===== Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
