[development] Two new core modules
Barry Jaspan
barry at jaspan.org
Tue May 1 14:30:28 UTC 2007
Dries,
I completely agree with your decision to add OpenID to core. I'd like
to see OpenID be a part of a generally improved user authentication
and security story for D6. My "wipe open sessions on password-change"
patch has already been committed (thanks!). Other changes I suggest:
1. Require (instead of request) a password change after one-time
login (http://drupal.org/node/138805). I will finish up this patch
and mark needs-review soon.
2. Add the Persistent Login (aka "Remember Me";
http://drupal.org/project/persistent_login) module to core.
Persistent Login is *more secure* than long-life session cookies in
addition to providing a better user experience. There are a couple
non-security related issues for this module I will clean up.
3. Change the default PHP session cookie lifetime to 0 (browser
lifetime only). Once Persistent Login is in place, the security risk
and database overhead of long-life PHP sessions is no longer
necessary.
Thoughts?
Thanks,
Barry
More information about the development
mailing list