http://qs321.pair.com?node_id=29943


in reply to Cookie based authentication: Is it secure?

Ovid already explained the security issue.

Unless you encrypt the whole site (which is a huge performance hit) you should assume that any data sent in cookies is meant to be public and will be used by someone trying to break in. Think about that before passing passwords and credit card numbers around.

Currently standard https authentication will cost money in the US. However in a couple of months the RSA patent expires and you will be able to both legally and freely use mod_ssl with Apache. Outside of North America this patent does not hold and you can use mod_ssl without legal worries. Certainly things like credit card information should only be passed through https. (In fact as an anti-fraud measure VISA is introducing new standards that will disqualify any merchant that sends credit card information over http!)

An alternative for simple authentication that I find interesting is turning a form into http authentication like Hotmail does. Quite a few FAQs say that this is impossible, but it is not and I explained the procedure in Put name and password in URLs.