[cgiapp] Safe way to remember user login?

Michael Peters mpeters at plusthree.com
Tue Jan 13 14:32:26 EST 2009


Lyle wrote:

>  I know a lot of sites have a check box for "remember me" or what not. 
> But I'm trying to figure out a safe way to do this. 

For me, the safest way to do it is to let the browser remember. All the major browsers know how to 
remember usernames and passwords now a days, so why duplicate that feature.

> Saving the username 
> and password in cookies wouldn't be secure, so I guess some kind of 
> cookie ID.

Storing an encrypted username and pw would be ok.

> But then once you display the login form you'd be writing out 
> the password into the <input type=password value=XXXX>, which isn't 
> secure either as someone could view source and grab it.

You're right that if someone checked "remember me" on a public computer then someone else could come 
by later and recover the username and password of the last person to do that. But that's the risk 
that happens when people tell public computers to remember their private information.

-- 
Michael Peters
Plus Three, LP



More information about the cgiapp mailing list