Login script
Moderator: General Moderators
Login script
I wondered if anyone had used or considered this one I found http://www.evolt.org/node/60384 and what did or do you think of it?
Re: Login script
So much work for so much suck. Insecure as well.
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Login script
I viewed the link and seen this:

Why would passwords be stored in COOKIE's?Passwords are not stored in cookies
- JAB Creations
- DevNet Resident
- Posts: 2341
- Joined: Thu Jan 13, 2005 6:44 pm
- Location: Sarasota Florida
- Contact:
Re: Login script
Err, wow...PCSpectra wrote:Why would passwords be stored in COOKIE's?
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Login script
Storing a password in the COOKIE has two potential consequences:Then when the page is loaded their username is echoed in to the form so if their password is saved all they have to do is press the sign-in button.
1. COOKIE is transmitted each request -- unless your using SSL bad idea
2. COOKIE is easily accessed via JS so if your site has any XSS exploits this could be abd thing
That 'remember me' option...I dunno it's nice...phpBB supports it as do a plethora of popular, high profile sites, but personally I find it risky...and I would prefer not having such a feature...
If I had to support something like remember me, I think I'd rather just extend the life of my SESSION to a couple days or weeks, rather than expose the password in plaintext.
One technique I used years ago when I had a client request some kind of auto-login facility was to generate a unique ID (similar to a session) and redirected to a page that URI like:
Code: Select all
login.php?AID=63JD7923GDJ6826323Now if I were requested to do such a thing, I might store the password in COOKIE but ensure it was only accessible via SSL.