Quote from article:
The wrong way to use cookies, therefore, is to have a login form, and on successful login, send out a cookie that lasts until year 2003 to that browser. That's bad. I can't login on another browser, and if I forget to logout of a browser at an ``internet cafe'', the next user who stumbles across the same website is (gasp!) already logged in as me!
Erm like Perlmonks does :-}
What we have here of course is a trade off between security and usability. The most secure access is lock the machine in a safe, and bury it in concrete, but thats not very usable. Whilst semi-permanent cookies for login control are less secure in the arena of something like perlmonks its less of an issue than say your online internet bank account :)
---If it doesn't fit use a bigger hammer | [reply] |
Many sites have checkbox 'Remember me' in their login form which affects cookie lifetime (i.e. cookie lasts only for browser session or cookie will be expired in next several years). Perlmonks is not exception.
I think it is quite reasonable approach. I have this checkbox checked when I visit perlmonks from home and I don't check it when I visit perlmonks from other places.
--
Ilya Martynov
(http://martynov.org/)
| [reply] |