Reply New Topic
2007/12/10 13:41:34
#1
Offline
Home away from home

Adding a Remember Me on this very site

QUick thing,

When this site becomes community.impresscms.org, would it be possible to add Gijoe's remember me feature ? I think I have loged here about 30 times today !

Thoughts


2007/12/10 14:16:56
#2
Offline
Not too shy to talk

Re: Adding a Remember Me on this very site

+1


2007/12/10 14:34:14
#3
Offline
Home away from home

Re: Adding a Remember Me on this very site

yes i think it maybe a good idea. it has my vote.

i think once we become community.impresscms.org tho, we should be using impresscms core imo. think gijoe hack should be included in impresscms core as default (but with an option in admin to disable it on a group basis)

for now i've set the session time here to 24hrs.

_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!

2007/12/10 15:43:01
#4
Offline
Home away from home

Re: Adding a Remember Me on this very site

-1 For security reasons.

_________________
JMorris (aka James Morris)
ImpressCMS Professional Services: INBOX International inc.
James Morris Online | Frolicking on the playground that is the Internet...

2007/12/10 15:55:48
#5
Offline
Home away from home

Re: Adding a Remember Me on this very site

james, i understand some of the security ramifications of 'remember me', but i honestly don't think it's as big an issue as all the other exploits and vulnerabilities that crackers/hackers & script kiddies use to gain access.

I haven't seen or heard of any sites being hacked where the entry point was via the remember me hack.. most of what i have come across have been some kind of SQLi or input validation methods, or files placed on the server through various methods.

but of course it's open to discussion :)

_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!

2007/12/10 16:02:33
#6
Offline
Home away from home

Re: Adding a Remember Me on this very site

Any "feature" that introduces a potential security risk that only provides functionality that can easily be replicated with one mouse click in a browser is a "feature" that has too high of a risk to justify its usefulness IMHO. But then again, I am p@r@n0!d.

_________________
JMorris (aka James Morris)
ImpressCMS Professional Services: INBOX International inc.
James Morris Online | Frolicking on the playground that is the Internet...

2007/12/10 16:25:48
#7
Offline
Home away from home

Re: Adding a Remember Me on this very site

It is a potential security risk. One reason is using the feature on a shared computer, and neglecting to log out. Another reason is that it makes it easier for an attacker to gain access by hijacking an existing active session.

For these reasons, it should be disabled by default, and the setting in the admin page should have a note explaining the risk.

But it's also a very convenient feature. I think that the individual webmaster should have the choice of whether to use the feature for his site.


2007/12/10 16:32:53
#8
Offline
Home away from home

Re: Adding a Remember Me on this very site

agreed with james & dave's points.

we just need to weigh up the convenience vs potential risks involved and agree to them either way.

which brings me to another feature request i think would be useful.

in admin we could do with a function that will instantly flush the session table and basicly destroy all current valid sessions without the need for going into the db manually, or changing the session name.

_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!

2007/12/10 18:33:01
#9
Offline
Home away from home

Re: Adding a Remember Me on this very site

So can we agree on this: put Gijoe's remember me feature in the core, controlled by a preference, turned Off by default.

_________________
Marc-André Lanciault
Founder and CEO INBOX International inc.
Co-Founder ImpressCMS

2007/12/10 20:07:29
#10
Offline
Home away from home

Re: Adding a Remember Me on this very site

Sounds like a reasonable compromise.

_________________
JMorris (aka James Morris)
ImpressCMS Professional Services: INBOX International inc.
James Morris Online | Frolicking on the playground that is the Internet...

2007/12/10 21:26:32
#11
Offline
Home away from home

Re: Adding a Remember Me on this very site

Quote:


Vaughan wrote:
in admin we could do with a function that will instantly flush the session table and basicly destroy all current valid sessions without the need for going into the db manually, or changing the session name.



A very good idea.

On the same note - as I've sometimes still seen the XOOPS bug where themes are not refreshed immediately - how about something like James's "delete template_c" routine being added near this - which we use here, to effect immediate changes?

(Something that will remove all contents from cache, template c, and similar folders - except for the ususal index.html of course)


2007/12/10 21:30:43
#12
Offline
Home away from home

Re: Adding a Remember Me on this very site

Also another nod towards a developer who I think deserves it (GiJoe)


Reply New Topic extras
 Previous Topic   Next Topic
You can view topic.
You can start a new topic.
You can reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You cannot vote in polls.
You cannot attach files to posts.
You can post without approval.