Login script

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
mikes1471
Forum Commoner
Posts: 88
Joined: Sat Jan 24, 2009 3:29 pm

Login script

Post by mikes1471 »

I wondered if anyone had used or considered this one I found http://www.evolt.org/node/60384 and what did or do you think of it?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Login script

Post by Mordred »

So much work for so much suck. Insecure as well.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Login script

Post by alex.barylski »

I viewed the link and seen this:
Passwords are not stored in cookies
Why would passwords be stored in COOKIE's? :lol:
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Re: Login script

Post by JAB Creations »

PCSpectra wrote:Why would passwords be stored in COOKIE's? :lol:
Err, wow... 8O Seriously, with auto-complete all I've done with Version 2.9 of my site is save a cookie with the user's username. Then when the page is loaded their username is echoed in to the form so if their password is saved all they have to do is press the sign-in button.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Login script

Post by alex.barylski »

Then when the page is loaded their username is echoed in to the form so if their password is saved all they have to do is press the sign-in button.
Storing a password in the COOKIE has two potential consequences:

1. COOKIE is transmitted each request -- unless your using SSL bad idea
2. COOKIE is easily accessed via JS so if your site has any XSS exploits this could be abd thing

That 'remember me' option...I dunno it's nice...phpBB supports it as do a plethora of popular, high profile sites, but personally I find it risky...and I would prefer not having such a feature...

If I had to support something like remember me, I think I'd rather just extend the life of my SESSION to a couple days or weeks, rather than expose the password in plaintext.

One technique I used years ago when I had a client request some kind of auto-login facility was to generate a unique ID (similar to a session) and redirected to a page that URI like:

Code: Select all

login.php?AID=63JD7923GDJ6826323
The I explained my to my client that he would have to bookmark the URI and could just use that bookmark to auto-login...at least the AID was only sent once per session.

Now if I were requested to do such a thing, I might store the password in COOKIE but ensure it was only accessible via SSL.
Post Reply