Security

[davidyell]

I thought it was worth mentioning that storing the username and password in the cookie is a huge security risk. You should be using a hash of some description saved in the database.

There are some more details here, http://jaspan.com/improved_persistent_login_cookie_best_practice

[Xety]

Hello,

Yes and no, because the cookies are not stored in clear. They are crypted using the Cookie component. And actually it's not possible to decrypt them if you don't have the hash.

[davidyell]

Ah fair enough, perhaps this is worth a read too, as this functionality might be making it's way into the core in 3.2.

FriendsOfCake/Authenticate#53

[Xety]

Interesting solution, i will let your issue open so when i will got some time, i will work on it.

Thanks you !

[kgbph]

Anyone still working on this?