[development] Security review for new "Remember Me" module?
Barry Jaspan
barry at jaspan.org
Tue Oct 10 17:59:31 UTC 2006
At some point in the past, before I joined the Drupal party, Drupal
apparently had the standard "Remember Me" login functionality but it
was removed. There was at least one long discussion about it on d.o
a year or two ago and it resulted in patches to move ini_set calls
into settings.php but did not result in a new Remember Me
checkbox. I could not really tell why and several inquiries on
#drupal went unanswered.
Anyway, I have now created a new Remember Me module (presently in my
sandbox, bjaspan/remember_me). Its design is based on "Persistent Login Cookie
Best Practice" by Charles Miller, 01/19/2004,
http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice.
It is more user-friendly, flexible, and secure than a long-life PHP
session. Although I do not propose adding to this core, since it is
obviously security-critical I'd like to have it audited before I
commit it to contrib. Any takers?
Note to user 'doq': I see that you have already created a module
called remember_me. I think this new one is substantially more
complete and secure so I suggest we replace yours with it, though I
welcome your suggestions and comments.
Thanks,
Barry
More information about the development
mailing list