* This is only secure if the HTML form is on an encrypted page.
* Always use hashed passwords. A users password should not be stored anywhere, as it could be stolen. There is also no technical need to keep it, once the hash has been generated.
* If the site is not on a secure connection, cookies can be sniffed, so the back-end should ideally check that a session cookie with a unique ID only comes from one IP address. It should then be sufficient to identify the person for the duration of the session.
* Some sites use a simple hashed password and username as identification when using auto-login. However, since cookies can be intercepted under some circumstances, I don't consider this very secure. Of course, someone using auto-login probably aren't paranoid with security, but I'd suggest a system where the auto-login is time-limited, so that the "secret" hash is occasionally changed. One can also "rotate" it every time the person logs on, but that wouldn't work too well if the person uses the site from multiple locations.
Just a few random thoughts on the issue, so take it with 64.8 mg NaCl ... :-) |
