Page 1 of 1

Login script

Posted: Tue Feb 03, 2009 10:15 am
by mikes1471
I wondered if anyone had used or considered this one I found http://www.evolt.org/node/60384 and what did or do you think of it?

Re: Login script

Posted: Thu Feb 05, 2009 5:17 pm
by Mordred
So much work for so much suck. Insecure as well.

Re: Login script

Posted: Thu Feb 05, 2009 5:35 pm
by alex.barylski
I viewed the link and seen this:
Passwords are not stored in cookies
Why would passwords be stored in COOKIE's? :lol:

Re: Login script

Posted: Thu Feb 05, 2009 10:20 pm
by JAB Creations
PCSpectra wrote:Why would passwords be stored in COOKIE's? :lol:
Err, wow... 8O Seriously, with auto-complete all I've done with Version 2.9 of my site is save a cookie with the user's username. Then when the page is loaded their username is echoed in to the form so if their password is saved all they have to do is press the sign-in button.

Re: Login script

Posted: Fri Feb 06, 2009 12:34 am
by alex.barylski
Then when the page is loaded their username is echoed in to the form so if their password is saved all they have to do is press the sign-in button.
Storing a password in the COOKIE has two potential consequences:

1. COOKIE is transmitted each request -- unless your using SSL bad idea
2. COOKIE is easily accessed via JS so if your site has any XSS exploits this could be abd thing

That 'remember me' option...I dunno it's nice...phpBB supports it as do a plethora of popular, high profile sites, but personally I find it risky...and I would prefer not having such a feature...

If I had to support something like remember me, I think I'd rather just extend the life of my SESSION to a couple days or weeks, rather than expose the password in plaintext.

One technique I used years ago when I had a client request some kind of auto-login facility was to generate a unique ID (similar to a session) and redirected to a page that URI like:

Code: Select all

login.php?AID=63JD7923GDJ6826323
The I explained my to my client that he would have to bookmark the URI and could just use that bookmark to auto-login...at least the AID was only sent once per session.

Now if I were requested to do such a thing, I might store the password in COOKIE but ensure it was only accessible via SSL.