[Rails] 'remember me' using cookies
Christian Reiniger
creinig at dotsrc.org
Fri Jul 28 10:00:39 GMT 2006
On Thursday 27 July 2006 12:45, Alan Bullock wrote:
> I'm about to implement this, and I'm thinking of storing the user's id
> and their hashed password in the cookie after a successful
> authentication.
If you store their hashed password in there, I guess that means that it it
spoosible to authenticate to your site knowing only the
username+passwordhash?
That renders the entire idea of hashing passwords ad absurdum ;)
The usual solution would be to simply use sessions. By default with
session cookies (destroyed when the browser is closed) and optionally
("remember me") with long expiry times (14 days?)
Still not really secure, but (a) it's (also) optional, so the users can be
blamed if something goes wrong *g*, and (b) session IDs change more often
than passwords.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://wrath.rubyonrails.org/pipermail/rails/attachments/20060728/5414aadf/attachment.bin
More information about the Rails
mailing list