2000-06-17 03:37:08+02 by Dan Lyke 0 comments
I do not get it. What is the fascination CGI "programmers" have with storing passwords in cookies? A while back I reported on the IE bug which let any site read a cookie for any other site, via Camworld here's a quick rundown on how the New York Times is dealing with the IE cookie stealing bug, but this should not have happened in the first place. There's no reason a password should go over a channel more than once. Store a record ID and a random string in the cookie on the client machine, when you're asked to do validation compare that random string against one stored in the user's record, if the cookie gets compromised you've lost only that single account (and, of course, any system which actually displays a password via a web page is completely brain dead). This is the way Flutterby's comment system works, and there's no excuse other than lazy sloppy programming to do it any less secure way.