They'll be using persistent cookies.

The cookie is saved on your PC with an expiry date weeks or months (or, if you are Google, years) away. Unlike session cookies, that cookie won't be deleted when you exit the browser.

The browser passes the cookie to the website each time it (the browser) accesses the site.

Your CGI programs on the website can then use the cookie to retrieve whatever stored info they have about the PC that has stored the cookie.

Lots more at:
[cookiecentral.com...]

>victor
Thanks for the reply. Didn't realise it was as simple as that and also not really using my brain this morning...we've already got a neat facility in Coldfusion for doing this...I guess just set a persistent cookie, look for it next logon and then retrieve password from database and fill hidden field.

Off to read the manual properly!

Read the manual well.

If done poorly these type of systems allow easy identity theft by changing manually the persistent cookie content...

Thanks for the advice. The coldfusion system seems to be set up so that the cookie is just an identifier for the browser, the id's are stored on the server and matched to the browser before any information comes out of the database.

Glad to hear it's okay now yump.

I *think* what starec means is that the persistent cookie will be around, and not very secure, on the user's PC for possibibly years.

If I can get hold of someone's cookie and copy it to my machine, I can access your site, and you think I'm them.

This is true too of session cookies, but they are around for not very long so the risk is reduced (unless you always serve the same cookie to the same userid, in which case they are as insecure as persistent cookies)

I see what you mean. Actually should be alright as it doesn't need watertight security - its mainly for convenience for visitors editing 'stories', but don't want any embarrassing PR, so will double check everything.