2007/12/10 13:41:34
|
---|
|
Adding a Remember Me on this very siteQUick thing,
When this site becomes community.impresscms.org, would it be possible to add Gijoe's remember me feature ? I think I have loged here about 30 times today ! Thoughts |
2007/12/10 14:16:56
|
---|
|
Re: Adding a Remember Me on this very site+1
|
2007/12/10 14:34:14
|
---|
|
Re: Adding a Remember Me on this very siteyes i think it maybe a good idea. it has my vote.
i think once we become community.impresscms.org tho, we should be using impresscms core imo. think gijoe hack should be included in impresscms core as default (but with an option in admin to disable it on a group basis) for now i've set the session time here to 24hrs. |
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together! |
2007/12/10 15:43:01
|
---|
|
Re: Adding a Remember Me on this very site-1 For security reasons.
|
_________________
JMorris (aka James Morris) ImpressCMS Professional Services: INBOX International inc. James Morris Online | Frolicking on the playground that is the Internet... |
2007/12/10 15:55:48
|
---|
|
Re: Adding a Remember Me on this very sitejames, i understand some of the security ramifications of 'remember me', but i honestly don't think it's as big an issue as all the other exploits and vulnerabilities that crackers/hackers & script kiddies use to gain access.
I haven't seen or heard of any sites being hacked where the entry point was via the remember me hack.. most of what i have come across have been some kind of SQLi or input validation methods, or files placed on the server through various methods. but of course it's open to discussion :) |
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together! |
2007/12/10 16:02:33
|
---|
|
Re: Adding a Remember Me on this very siteAny "feature" that introduces a potential security risk that only provides functionality that can easily be replicated with one mouse click in a browser is a "feature" that has too high of a risk to justify its usefulness IMHO. But then again, I am p@r@n0!d.
|
_________________
JMorris (aka James Morris) ImpressCMS Professional Services: INBOX International inc. James Morris Online | Frolicking on the playground that is the Internet... |
2007/12/10 16:25:48
|
---|
|
Re: Adding a Remember Me on this very siteIt is a potential security risk. One reason is using the feature on a shared computer, and neglecting to log out. Another reason is that it makes it easier for an attacker to gain access by hijacking an existing active session.
For these reasons, it should be disabled by default, and the setting in the admin page should have a note explaining the risk. But it's also a very convenient feature. I think that the individual webmaster should have the choice of whether to use the feature for his site. |
2007/12/10 16:32:53
|
---|
|
Re: Adding a Remember Me on this very siteagreed with james & dave's points.
we just need to weigh up the convenience vs potential risks involved and agree to them either way. which brings me to another feature request i think would be useful. in admin we could do with a function that will instantly flush the session table and basicly destroy all current valid sessions without the need for going into the db manually, or changing the session name. |
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together! |
2007/12/10 18:33:01
|
---|
|
Re: Adding a Remember Me on this very siteSo can we agree on this: put Gijoe's remember me feature in the core, controlled by a preference, turned Off by default.
|
2007/12/10 20:07:29
|
---|
|
Re: Adding a Remember Me on this very siteSounds like a reasonable compromise.
|
_________________
JMorris (aka James Morris) ImpressCMS Professional Services: INBOX International inc. James Morris Online | Frolicking on the playground that is the Internet... |
2007/12/10 21:26:32
|
---|
|
Re: Adding a Remember Me on this very siteQuote:
A very good idea. On the same note - as I've sometimes still seen the XOOPS bug where themes are not refreshed immediately - how about something like James's "delete template_c" routine being added near this - which we use here, to effect immediate changes? (Something that will remove all contents from cache, template c, and similar folders - except for the ususal index.html of course) |
2007/12/10 21:30:43
|
---|
|
Re: Adding a Remember Me on this very siteAlso another nod towards a developer who I think deserves it (GiJoe)
|