AVG here as well.

I went to add another comment and couldn't find the reply button. Arrrggh! Why? I wasn't logged in again.

Yes, a nice long user entered seed during the install would work. And rather than using it to encode the user id, perhaps each user record is updated with a nice long (40 char+) unique string that is also put into the cookie. The version in the database could be encrypted like the password too, I guess. So the server sees the cookie, encrypts it, and tries to find it in the database. I would only be as secure as the person's cookies, but hey if you aren't using https nothing is secure in the first place.

I think this is an important feature for many of the reasons previously mentioned. However, a built in solution has to be done very carefully. If you were to set a cookie that automatically logged you in, it would obviously need to represent an encrypted version of the user's id. The server would decrypt it, verify it, and log them in.

The problem is, this encrypt/decrypt algorith of sorts, would need to be unique to every server. Otherwise, you could encrypt the id on your own xoops, fake the cookie to another site, and voila! That is why it would be difficult to have a built it version. The algorithm would have to a custom/unique seed for every site and be still be hard to crack.

There are of course other ways to do this, anyone wanna brainstorm with me?

-ddFred