more /root/Rules and Announcements/Remember Me.thread
2008-09-10 13:39:29IsmAvatar
I've added a Remember Me feature.

Please be aware that using this feature will store a cookie on your computer, containing your username and hashed password unencrypted. Due to this, anybody else who has access to your computer will be able to login and post as you, so this feature is not recommended for shared computers (like most login systems)

This cookie is flushed or deleted when you click "Log Out". After the specified amount of time, the cookie will expire. It is up to your browser to delete expired cookies. Consult your browser's documentation to see if and when it deletes the cookie.

Additionally, if you have cookies enabled, logging in will store a cookie containing session information, so that you can stay logged in from page to page. To learn more about this, read about Sessions on any good website. If cookies are disabled, it will try to find another way to retain the session.

Despite this, if you have cookies disabled, "Remember Me" simply will not work.
2008-09-10 13:41:16IsmAvatar
Furthermore, choosing the "Until I leave" option will not store a cookie (thus the "no cookie" note next to it). This is the default login method, and this is the way that login worked prior to the Remember Me feature.
2008-09-11 04:05:28Clam
Couldn't you simply store a password hash in the cookie?
2008-09-11 19:46:13IsmAvatar
Yes, but that would be too easy! Actually it requires a bit more code to differentiate between a Login request and a cookie automated login, whereas without the hash I could just treat them both the same.

Whatever the case, cookies now only store your password in a hash.

This is more secure, but realize that if you use this cookie, anybody else who uses your computer will also be able to log in and post as you. Thus, you should not use the Remember Me feature if you are on a shared computer. This is pretty standard for all login systems.
2008-09-12 01:24:30Clam
A plaintext password stored in the cookie could also let them log in as me! :P

Thanks for the change.