Remember Me

When you click the "Remember Me" checkbox, is your password stored in your cookie, or is your session stored, or something else?

I have a moderator that doesn't want to check that because he's at work and doesn't want his password to be discovered.

 

In that case, I'd recommend just not ticking it. I don't know exactly what information is saved, but the general rule of thumb is that if you are using a public computer or connection, then don't tick the box.

 

Yeah, those are my thoughts as well.

His problem is that he can get a wee bit wordy, and he lost a post today because it took him more than 15 minutes to type it (with interruptions).

I did increase the session times to 30 minutes. Hopefully that will help.

 

He can always clear his casche and discard and passwords, every session as one way to work with having it "ticked".

 

I'm pretty sure it's the session(to your site) that is saved and not the password, the password is normally saved within your browser, which is why you could delete the cookies. The browser is the one that saved your password because I'm pretty sure the cookies let the browser know you want to be remembered next time a computer with that IP access the site. ~_~Or maybe I'm rambling useless stuff. X3

 

There is a hack to Save As Draft that I found useful to add for a moderator on my site that is also quite wordy and was getting timed out.

 

Most forum software will store your password in a cookie, but it's almost always using their hashing algorithm coupled with your unique salt. In vBulletin, this cookie is usually called "bbpassword". But the "bb" part can change depending on how an administrator has set up their config.php.

If someone were to view that cookie they would not be able to obtain your password because it would look similar to this:

Code:

h3dfi8sw03jnah3esh20s94mf6730ab2

This is what your password looks like to the naked eye, however it's unique to each user because each user has another unique value, randomly generated, associated with it.

The software then takes this, along with your username, and matches it up with what is stored in the database under your account, along with other preventative measures to prevent cookie and session spoofing.

If it finds a match, then it creates a session in the database automatically, which in turn, automatically logs you in. It also creates certain unique parameters, such as User Agents, User ID's, Registration Dates, etc. that ensure your session doesn't get picked up by another computer.

It then fetches your session, on each page load, from the database using your unique identifying parameters.

This is the very basics of session handling. I'm not good with sessions so a lot more probably goes into it than I explained here.

In short, if the computer he uses is not used by anyone else in his workplace, then he'll be fine. If it's used by others, then he should not use the Remember Me function unless he specifically remembers to log out afterwards.

Most modern day forum software will never store your password in plaintext.

 

Most BB software don't allow password changes without the original one being typed in, vBulletin for example has this safe measure before you can edit the password or registration email.

And if he logs in at another computer, say at home, and if most software works like Invision does, it'll invalidate the other login session. Although, that's completely up to the administrator. Your GMail works similarly. Click the IP address at the bottom of the window, and you'll see who's been accessing your account. Also has the option to log out of all other sessions except the current one.

 

Thank you very much!

I'll let him know that he's (mostly) safe using remember me as long as he uses log out whenever he's done.

Thanks again!

 

Since this is a moderator we're talking about I would highly recommend he does not use that Remember Me option. It's too easy to forget to log out then the next user at that computer could access his forum account.

Regardless, anytime I type up a long post I frequently hit Ctrl+A to highlight everything then Ctrl+C to copy it so in case something like that happened after I hit submit I could easily log back in and simply paste everything back which I already typed.

 

We're talking about a work computer, though. Chances are he's the only one that uses it there.

 

I've let him know about the copy+paste method. I've used that for years.

I'm not terribly worried about others where he works hacking into cookies, and he's VERY meticulous about signing out when he's done.

 

All good, I just like to know that anyone with those permissions on my site doesn't take the chance.