LGF Login Notes 9 - Persistent Login

358
• Views: 1,109

Here’s an open thread for Sunday afternoon (that’s what these login notes threads all turn into anyway).

Again I’m tweaking and revamping things in the login system, so don’t be surprised if something behaves oddly.

The new feature I’m working on is not fully tested yet, but it’s a change in the way the ‘Remember me’ cookie works. (Update: the feature described below is now activated.)

The old way: your login information was saved in an encrypted cookie and used to pre-fill the login forms. Problem: insecure, for several reasons we won’t go into right now.

The new way: the ‘Remember me’ cookie will be a ‘persistent login’ cookie, that lasts for a week from your last login. If you check ‘Remember me’ when you log in, from that point on you will be automatically logged in every time you visit LGF (as long as you don’t stay away for more than a week), using a token-based authentication scheme that never transmits your password over the web, even in encrypted form. End result: much more secure on the server side, and much more convenient for registered users.

(The technique is similar to the one described in Chris Shiflett’s book, %%AMAZON=059600656X|Essential PHP Security%%. If you must know.)

The ‘log out’ feature will also destroy the ‘Remember me’ cookie, so if you log out, you’re logged out for good—until you check the ‘Remember me’ box and log in again.

You don’t have to use persistent login; you can still log in without it, and it will last to the end of your browser session or until you log out (or for 6 hours, the maximum session lifetime).

Note: many browsers now have an ‘autofill’ feature that remembers login information and pre-fills forms. If you continue to see the forms being filled out automatically even after logging out, it’s probably your browser doing it.

UPDATE at 4/15/07 3:23:22 pm:

I should let you know about one more new feature that IS live now: there’s a ‘throttling’ mechanism in place to prevent automated password-guessing attacks. If you enter an incorrect username or password and receive an authentication failure, you have to wait for a little while before trying again. If you try again before the timeout, you’ll get another error even if the username/password are correct. (The moral is: have patience, grasshopper.)

UPDATE at 4/15/07 3:44:02 pm:

The new persistent login feature described above is now activated. Registered users may wish to log out and log back in, just to make sure you’re starting from the right place.

Jump to top

Create a PageThis is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.
Or... you can just click this button to open the Pages posting window right away.
Last updated: 2023-04-04 11:11 am PDT LGF User's Guide RSS Feeds

Help support Little Green Footballs!

Subscribe now for ad-free access!Register and sign in to a free LGF account before subscribing, and your ad-free access will be automatically enabled.

Donate with
PayPal Cash.app
Recent PagesClick to refresh
The Pandemic Cost 7 Million Lives, but Talks to Prevent a Repeat Stall In late 2021, as the world reeled from the arrival of the highly contagious omicron variant of the coronavirus, representatives of almost 200 countries met - some online, some in-person in Geneva - hoping to forestall a future worldwide ...
Cheechako
3 days ago
Views: 121 • Comments: 0 • Rating: 1
Texas County at Center of Border Fight Is Overwhelmed by Migrant Deaths EAGLE PASS, Tex. - The undertaker lighted a cigarette and held it between his latex-gloved fingers as he stood over the bloated body bag lying in the bed of his battered pickup truck. The woman had been fished out ...
Cheechako
2 weeks ago
Views: 283 • Comments: 0 • Rating: 1