LGF Login Notes 9 - Persistent Login
Here’s an open thread for Sunday afternoon (that’s what these login notes threads all turn into anyway).
Again I’m tweaking and revamping things in the login system, so don’t be surprised if something behaves oddly.
The new feature I’m working on is not fully tested yet, but it’s a change in the way the ‘Remember me’ cookie works. (Update: the feature described below is now activated.)
The old way: your login information was saved in an encrypted cookie and used to pre-fill the login forms. Problem: insecure, for several reasons we won’t go into right now.
The new way: the ‘Remember me’ cookie will be a ‘persistent login’ cookie, that lasts for a week from your last login. If you check ‘Remember me’ when you log in, from that point on you will be automatically logged in every time you visit LGF (as long as you don’t stay away for more than a week), using a token-based authentication scheme that never transmits your password over the web, even in encrypted form. End result: much more secure on the server side, and much more convenient for registered users.
(The technique is similar to the one described in Chris Shiflett’s book, %%AMAZON=059600656X|Essential PHP Security%%. If you must know.)
The ‘log out’ feature will also destroy the ‘Remember me’ cookie, so if you log out, you’re logged out for good—until you check the ‘Remember me’ box and log in again.
You don’t have to use persistent login; you can still log in without it, and it will last to the end of your browser session or until you log out (or for 6 hours, the maximum session lifetime).
Note: many browsers now have an ‘autofill’ feature that remembers login information and pre-fills forms. If you continue to see the forms being filled out automatically even after logging out, it’s probably your browser doing it.
UPDATE at 4/15/07 3:23:22 pm:
I should let you know about one more new feature that IS live now: there’s a ‘throttling’ mechanism in place to prevent automated password-guessing attacks. If you enter an incorrect username or password and receive an authentication failure, you have to wait for a little while before trying again. If you try again before the timeout, you’ll get another error even if the username/password are correct. (The moral is: have patience, grasshopper.)
UPDATE at 4/15/07 3:44:02 pm:
The new persistent login feature described above is now activated. Registered users may wish to log out and log back in, just to make sure you’re starting from the right place.