[development] Two new core modules
Susan Stewart
HedgeMage at binaryredneck.net
Tue May 1 23:13:55 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Barry Jaspan wrote:
> Dries,
>
> I completely agree with your decision to add OpenID to core. I'd like
> to see OpenID be a part of a generally improved user authentication
> and security story for D6. My "wipe open sessions on password-change"
> patch has already been committed (thanks!). Other changes I suggest:
>
> 1. Require (instead of request) a password change after one-time
> login (http://drupal.org/node/138805). I will finish up this patch
> and mark needs-review soon.
>
> 2. Add the Persistent Login (aka "Remember Me";
> http://drupal.org/project/persistent_login) module to core.
> Persistent Login is *more secure* than long-life session cookies in
> addition to providing a better user experience. There are a couple
> non-security related issues for this module I will clean up.
>
> 3. Change the default PHP session cookie lifetime to 0 (browser
> lifetime only). Once Persistent Login is in place, the security risk
> and database overhead of long-life PHP sessions is no longer
> necessary.
>
> Thoughts?
>
> Thanks,
>
> Barry
>
+1 to each of the above!
Susan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGN8mzvWyNbJGZcawRAjuJAJ4rnI6MfNMGw7sNpudkJ2K6hePMWQCfZwtR
moKGBCMwCI2Tdxfa48Dszhs=
=v699
-----END PGP SIGNATURE-----
More information about the development
mailing list