-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Barry Jaspan wrote:
Dries,
I completely agree with your decision to add OpenID to core. I'd like to see OpenID be a part of a generally improved user authentication and security story for D6. My "wipe open sessions on password-change" patch has already been committed (thanks!). Other changes I suggest:
1. Require (instead of request) a password change after one-time login (http://drupal.org/node/138805). I will finish up this patch and mark needs-review soon.
2. Add the Persistent Login (aka "Remember Me"; http://drupal.org/project/persistent_login) module to core. Persistent Login is *more secure* than long-life session cookies in addition to providing a better user experience. There are a couple non-security related issues for this module I will clean up.
3. Change the default PHP session cookie lifetime to 0 (browser lifetime only). Once Persistent Login is in place, the security risk and database overhead of long-life PHP sessions is no longer necessary.
Thoughts?
Thanks,
Barry
+1 to each of the above! Susan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGN8mzvWyNbJGZcawRAjuJAJ4rnI6MfNMGw7sNpudkJ2K6hePMWQCfZwtR moKGBCMwCI2Tdxfa48Dszhs= =v699 -----END PGP SIGNATURE-----