On Tue, Dec 11, 2007 at 07:50:11AM +0000, Carl Franks wrote: > I think first, you have to make a judgement about the value of the > data / functionality you're offering.
Yes, indeed, and I left that out of my question. I agree with what you and Peter said about the Amazon model. It's convenient and seems to work well. Yahoo implements something similar although they seem to ask for the password more often. I'm less convinced of that model with an application that might contain all user-generated (private) data and where using the application might incur charges to the user. Perhaps moving to all SSL pages for the content part of that kind of site would at least ensure that the cookies are not hijacked. That would at least bring it up to the level of the login screen since the credentials (username/password or cookie) would be over an encrypted connection. But, sill doesn't protect against, say, a co-worker using that machine. > I'm not bothered if someone comes along after me and can see what's in > my basket. If I were on a public machine, I know to logout manually. What does "logout" do with respect to the "remember me" state? Should it remove just that machine's "remember me" cookie (and server-side token) or all of the user's state (as when they used multiple browsers/machines to log in)? I log into to many places where the data isn't very important so have become used to letting the browser remember my credentials. So, that extra step of clicking the login button doesn't feel inconvenient. Others are probably more used to a "remember me" feature. I prefer to keep manage my own credential store, but I suppose it depends where you consider the greater threat -- hijacking in route cookies vs. physical access to the computer. It's nice when a level of security can be moved to a layer above the application -- less code to be insecure in the application. ;) That's kind of what using the browser to remember form data does. Thanks for the feedback. -- Bill Moseley [EMAIL PROTECTED] _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ Dev site: http://dev.catalyst.perl.org/
