From: Bill Moseley [mailto:[EMAIL PROTECTED] >What's the current thinking about those "remember me" checkboxes on >login forms that basically allow users to return to the site and >automatically log in?
For private business apps in the past I've persisted the session cookie and updated the "last action time" on each validated screen load. When that times out (between 5 and 30 minutes of inactivity) the credentials are dropped and they get a login screen. I also tied the cookie to a specific TCP/IP source address. You can spoof that but it's one more hurdle. For a public web app the most common behaviour I've noticed is that "remember me" gives you access to the site as the user but that each time you enter a critical section (e.g. to confirm payment) you are re-prompted for your password and I presume either timed access or a separate short term auth cookie holding one-time transaction numbers for each step is used for that section. I guess this is mainly to avoid script-based browser hijacking but also to avoid captured cookie replay attacks. Regards, Peter _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ Dev site: http://dev.catalyst.perl.org/
