cookies

bbbbb

Are there real sites that store user passwords in cookies?

MarkR

Yes there are. Doing so does not constitute a major security risk unless you have some other bug in your web site (e.g. it's vulnerable to a XSS attack).

PHPBuilder seems to store the password hashed in some way in a cookie. This is slightly more secure I suppose, but if someone stole it they'd still have access.

Mark

Rodney_H_

Perhaps another couple of ways to help secure a cookie with password info would be to employ some of these techniques:

1) Name the cookie something benign and intentionally misleading
2) Append another string to it's value when creating and saving cookie (yet, obviously you will need to remove the exact string that was added to the password value prior to logging in)
3) HASH or encrypt the value

I guess the best thing to consider is that things like access level or if the user is an administrator in the system should not be cookie'd, however.

Hope that helps.