Mark Fuller wrote:
I don't understand the "remember me" thing. If you use a cookie with a
session key, and maintain on the server side that the user wants to be
"remembered," why even display the login page to them? Just treat them
as already logged in, and let them into your site?
That's a good way to leave yourself vulnerable to CSRF attacks. If you prevent CSRF attacks in other
ways (using referer, single use submission tokens, etc) then you're probably ok.
Maybe I don't get it.
Just tell people to get a decent browser that remembers those things for them. Then they can worry
about the security of their own machine and you won't be responsible if they lose their credentials.
Besides, if you were doing your passwords correctly, you wouldn't even be able to fill in the form
since you wouldn't know what it is, only they would.
--
Michael Peters
Plus Three, LP
##### CGI::Application community mailing list ################
## ##
## To unsubscribe, or change your message delivery options, ##
## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ##
## ##
## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ##
## Wiki: http://cgiapp.erlbaum.net/ ##
## ##
################################################################
