Welcome to WebmasterWorld Guest from 54.157.222.62

Forum Moderators: incrediBILL

Message Too Old, No Replies

How to trigger 'remember me' on passwords?

   
8:25 am on May 13, 2004 (gmt 0)

10+ Year Member



I'm sure this is answered somewhere, but have searched and can't find anything, can anyone help please?

There's a 'remember me' button on some sites - how does it work, because I'd like to use one on my site?

Cheers.

8:42 am on May 13, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



They'll be using persistent cookies.

The cookie is saved on your PC with an expiry date weeks or months (or, if you are Google, years) away. Unlike session cookies, that cookie won't be deleted when you exit the browser.

The browser passes the cookie to the website each time it (the browser) accesses the site.

Your CGI programs on the website can then use the cookie to retrieve whatever stored info they have about the PC that has stored the cookie.

Lots more at:
[cookiecentral.com...]

9:49 am on May 13, 2004 (gmt 0)

10+ Year Member



>victor
Thanks for the reply. Didn't realise it was as simple as that and also not really using my brain this morning...we've already got a neat facility in Coldfusion for doing this...I guess just set a persistent cookie, look for it next logon and then retrieve password from database and fill hidden field.

Off to read the manual properly!

9:57 am on May 13, 2004 (gmt 0)

10+ Year Member



Read the manual well.

If done poorly these type of systems allow easy identity theft by changing manually the persistent cookie content...

11:06 am on May 13, 2004 (gmt 0)

10+ Year Member



Thanks for the advice. The coldfusion system seems to be set up so that the cookie is just an identifier for the browser, the id's are stored on the server and matched to the browser before any information comes out of the database.
4:30 pm on May 13, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Glad to hear it's okay now yump.

I *think* what starec means is that the persistent cookie will be around, and not very secure, on the user's PC for possibibly years.

If I can get hold of someone's cookie and copy it to my machine, I can access your site, and you think I'm them.

This is true too of session cookies, but they are around for not very long so the risk is reduced (unless you always serve the same cookie to the same userid, in which case they are as insecure as persistent cookies)

4:54 pm on May 13, 2004 (gmt 0)

10+ Year Member



I see what you mean. Actually should be alright as it doesn't need watertight security - its mainly for convenience for visitors editing 'stories', but don't want any embarrassing PR, so will double check everything.