[cgiapp] Safe way to remember user login?

[Michael Peters]

Mark Fuller wrote:

> I don't understand the "remember me" thing. If you use a cookie with a
> session key, and maintain on the server side that the user wants to be
> "remembered," why even display the login page to them? Just treat them
> as already logged in, and let them into your site? 

That's a good way to leave yourself vulnerable to CSRF attacks. If you prevent CSRF attacks in other 
ways (using referer, single use submission tokens, etc) then you're probably ok.

> Maybe I don't get it.

Just tell people to get a decent browser that remembers those things for them. Then they can worry 
about the security of their own machine and you won't be responsible if they lose their credentials.
Besides, if you were doing your passwords correctly, you wouldn't even be able to fill in the form 
since you wouldn't know what it is, only they would.

-- 
Michael Peters
Plus Three, LP