> The way I've accomplished this is by adding something like an md5key > column to the users database. > > When someone checks the "remember me" button you can generate a key > based on something like, their username / password / the current date + > some salt (or whatever you like).
I do something a bit similar to that. The difference is that the "salt" is not known to the web browser. The most important part of this idea is that there is a SECRET which is known only to the server. Send the user two cookies: 1. A clear-text version of their username 2. An MD5 hashed version of their user name, salted with the SECRET (Never NEVER give them a cookie with their PASSWORD, or the SECRET.) When the server gets a request from an un-authenticated user who has these cookies, try re-hashing the clear-text username with the SECRET. If it matches the hashed version in the browser, log the user in. As far as relying on the browser to remember UID/PW: Sometimes that's OK, and sometimes that's annoying. There are many sites on which I prefer that I don't have to log in every time I go there. For example, Gmail. Jesse Jesse Erlbaum The Erlbaum Group, LLC 817 Broadway, 10th floor New York, NY 10003 212-684-6161 (office) 917-647-3059 (mobile) 212-684-6226 (fax) [email protected] ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################
