Brad Brevet wrote: > Is what I have set up and it is working is a cookie that saves someones > username if they check the "Remember Me" box. If the cookie is set it then > starts the necessary session and stays active for 30 days. > > Are there any pitfalls to this that you can see? Are there any additional > security measures I should take? As far as passwords are concerned you > must > have access to the user's specific email address in order to obtain that > information, but then again I think that is the only way to relay password > information at all, it isn't visibly available in a non MD5 form anywhere > on > the site. The biggest pitfall is people using public computers and checking "Remember Me"... I know, that sounds really dumb to you, but they do it. If this is their bank account, I sure wouldn't do "Remember Me" (at all) If it's not all *that* crucial... The other consideration is if their computer is physically accessed/stolen. Put it this way: Assume the worst-case scenario, and that sooner or later, somebody is going to abuse "Remember Me" to get to somebody else's data. [Because it *WILL* happen.] Is this going to be a big problem? If so, don't provide "Remember Me" If you don't provide "Remember Me" you should allow users to pick their own usernames, as much as possible, and to set their own passwords. It's gotten to the point where sites that require me to login are seldom visited. I never remember what I used to login, and don't want to wait for that email to arrive. Bye. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
