[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Tom Potts wrote: > If you want to be secure then the only data you should ever store in a cookie > is a session ID and that session ID should be created in such a way as to > make forging it nigh on impossible and with sensible timeouts on client and > server. And remember some people/institutions wont allow cookies so you > should be able to offer alternatives - generally the query string (ie > URL?sessioninfo=encryptedstring). > The server should be used for all other information - userinfo, shopping list > etc. > Not only is this good practice but it makes debugging a hell of a lot easier! > I'm trying not to be too technical here! > Tom te tom te tom The only way any web authentication can be really secure is via https and a relevant trusted third party certificate authority. Without https, all transmissions are subject to eavesdropping and man in the middle attacks. Even then it is not a 100% foolproof system, just a lot harder to break. Most websites are not that secure, and most cms software (all that I know about) use insecure authentication methods. There are free certificate authorities now according to wikipedia, so this may change: http://en.wikipedia.org/wiki/Certificate_authority Anton -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html