[development] Two new core modules

Barry Jaspan barry at jaspan.org
Tue May 1 14:30:28 UTC 2007


I completely agree with your decision to add OpenID to core.  I'd like
to see OpenID be a part of a generally improved user authentication
and security story for D6.  My "wipe open sessions on password-change"
patch has already been committed (thanks!).  Other changes I suggest:

1.  Require (instead of request) a password change after one-time
login (http://drupal.org/node/138805).  I will finish up this patch
and mark needs-review soon.

2.  Add the Persistent Login (aka "Remember Me";
http://drupal.org/project/persistent_login) module to core.
Persistent Login is *more secure* than long-life session cookies in
addition to providing a better user experience.  There are a couple
non-security related issues for this module I will clean up.

3.  Change the default PHP session cookie lifetime to 0 (browser
lifetime only).  Once Persistent Login is in place, the security risk
and database overhead of long-life PHP sessions is no longer




More information about the development mailing list