Absolutely right! I'm storing the password needlessly. I've got the user name and that's all I need for anything further. Thanks!
Jeff > -----Original Message----- > From: Analysis & Solutions [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 12:42 PM > To: PHP List > Subject: Re: [PHP] Access control question - follow-up question > > > On Fri, Jun 07, 2002 at 11:32:48AM -0500, Jeff Field wrote: > > > > In regards to "Passing/testing the password on each page is > unnecessary and > > poses security risks.", I'm under the impression that when I > create the user > > and password variables, the variables are only available in the session > > cookie on my own server, not in the cookie that is sent to the user to > > maintain sessions. The cookie sent to the user merely contains > the session > > ID. Therefore, other than someone hijacking the session, I'm a little > > unclear as to the security risk. Have I got this right? > > A general rule: if something doesn't need to be stored, don't store it. > This saves time and space. > > In the instance of passwords, storing them needlessly keeps sensitive > information around. This poses a problem in the event your system gets > compromised. There are lots of ways that can happen, both known and yet > to be discovered and yet to be created. So, it's just safer not to do > it. > > --Dan > > -- > PHP classes that make web design easier > SQL Solution | Layout Solution | Form Solution > sqlsolution.info | layoutsolution.info | formsolution.info > T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y > 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
