LGF Login Notes 10
The login system has reached a fairly stable point in its development, so here’s one more post describing the changes and/or enhancements that happened over the weekend.
1) The operation of the ‘Remember me’ checkbox has been completely revamped for a) extra security for us, and b) extra convenience for you. If you check that box while logging in, LGF sends your browser a ‘persistent login’ cookie that allows you to remain logged in wthout filling in the form and submitting it, as long as you visit LGF at least once a week. Wait longer than a week between visits, and the persistent login cookie expires and you’ll have to log in again. For security, the cookie does NOT include your password; it’s a token-based system, which sounds (and is) geeky, but makes it much safer.
2) If you ‘log out’ from LGF (on any page where you see a ‘log out’ button or link), the persistent login cookie is destroyed and you’ll have to log in again in order to post comments.
3) The Account Management page now requires a login each time you access it, regardless of whether you’re already logged in by other means. This is an additional security measure.
4) Ajax is used for the login process, to authenticate your information and log you in without a page reload. The speed improvement is enormous, especially on a page with a couple of hundred comments.
5) And since several people have emailed about it, my Ajax client/server code is fully protected against the JavaScript Hijacking exploit described at Bruce Shneier’s blog. (Actually, doubly protected.)
6) Finally, a reminder that it’s really important to change your password every once in a while—which you can do in the Account Management page. We’re not protecting any nuclear secrets here, but by occasionally changing your LGF password you can take a proactive hand in securing your own information.