Menu
Community /Pin to ProfileBookmark
@NogDogNov 09.2007 — #Yes, it is done with cookies, often including the password. Thus there is a non-trivial security risk in such an arrangement, since anyone with physical or remote access to that user's computer could conceivably view/copy those cookies. Even if the values are encrypted, the person stealing the cookies would have the encrypted values in his/her copy. You could lessen the risk by also storing the IP address and checking that it is the same one used on their last login, but with so many users having dynamic IP's, that may defeat the purpose for many of them. So, you need to weigh the risk of cookies being stolen versus the convenience to your users of not having to log in. @NogDogNov 09.2007 — #
If you use hashed passwords, that's probably the best sort of solution from a security standpoint.
"Remember me"
Hi
Several places login forms has this “remember me” function/checkbox, so that you do not have to type the password each time. You may be logged in automatically, or the username and password is just filled in. Is this done by storing the password in a cookie? If so, encrypted in some way or just in “plain text”?
If the user is using a shared computer, do the page need to delete cookies or should the user take care of this himself?
Any advice or links?
Thanks
Lubox
Sign in
to post a comment3 Comments(s) ↴
0
@NogDogNov 09.2007 — #0
@NogDogNov 09.2007 — #Ok, thanks for your reply. I need to discuss this with myself a bit ?
How would you create a "I forgot my password"-setup as secure as possible? Set a temporary password (usable for only a short period), mail it to them, and they would have to change it to a new one on first use?[/QUOTE]
If you use hashed passwords, that's probably the best sort of solution from a security standpoint.