[development] Security review for new "Remember Me" module?

Barry Jaspan barry at jaspan.org
Tue Oct 10 17:59:31 UTC 2006

At some point in the past, before I joined the Drupal party, Drupal 
apparently had the standard "Remember Me" login functionality but it 
was removed.  There was at least one long discussion about it on d.o 
a year or two ago and it resulted in patches to move ini_set calls 
into settings.php but did not result in a new Remember Me 
checkbox.  I could not really tell why and several inquiries on 
#drupal went unanswered.

Anyway, I have now created a new Remember Me module (presently in my 
sandbox, bjaspan/remember_me).  Its design is based on "Persistent Login Cookie
Best Practice" by Charles Miller, 01/19/2004, 
It is more user-friendly, flexible, and secure than a long-life PHP 
session.  Although I do not propose adding to this core, since it is 
obviously security-critical I'd like to have it audited before I 
commit it to contrib.  Any takers?

Note to user 'doq': I see that you have already created a module 
called remember_me.  I think this new one is substantially more 
complete and secure so I suggest we replace yours with it, though I 
welcome your suggestions and comments.



More information about the development mailing list