Re: Remember me function

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Brad Brevet wrote:
> Is what I have set up and it is working is a cookie that saves someones
> username if they check the "Remember Me" box. If the cookie is set it then
> starts the necessary session and stays active for 30 days.
>
> Are there any pitfalls to this that you can see? Are there any additional
> security measures I should take? As far as passwords are concerned you
> must
> have access to the user's specific email address in order to obtain that
> information, but then again I think that is the only way to relay password
> information at all, it isn't visibly available in a non MD5 form anywhere
> on
> the site.

The biggest pitfall is people using public computers and checking
"Remember Me"...

I know, that sounds really dumb to you, but they do it.

If this is their bank account, I sure wouldn't do "Remember Me" (at all)

If it's not all *that* crucial...

The other consideration is if their computer is physically accessed/stolen.

Put it this way:

Assume the worst-case scenario, and that sooner or later, somebody is
going to abuse "Remember Me" to get to somebody else's data.  [Because it
*WILL* happen.]

Is this going to be a big problem?

If so, don't provide "Remember Me"

If you don't provide "Remember Me" you should allow users to pick their
own usernames, as much as possible, and to set their own passwords.

It's gotten to the point where sites that require me to login are seldom
visited.  I never remember what I used to login, and don't want to wait
for that email to arrive.  Bye.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux