Peak auto-login hack

Re: auto-login hacked files for XOOPS 2.0.9.2
This hack stores the password as an MD5 hash on the client, but this is vulnerable to dictionary attacks, and simple copying to another computer.
This hack is a potential security hole, don't enable it lightly.

I was thinking , client logs in, server creates a unique random ID and stores in DB, sends it back to the client and stores it in a cookie. Next page visit, server cheques unique ID, if match -> generates a New ID, else user needs to login again. (possible a hacked)

errr i'm not quite sure what the question is here?

have u tried GiJoes auto login hack?

personally if you think about it, having any kind of autologin is going to reduce security compared to a system that doesn't..

Well ...my user also request to have such feature, guess is the user needs .. so why not make it an option in the XOOPS core module ?

The reason of my post..

I read the comments on the peak download site for the auto-login module.
I think it's not realy secure to store the users hashed password in a cookie on the client.

It would be more secure to store a random id.

enabeling auto-login will always decrease security, i agree,
but storing a hashed pass sounds dangerous, when you know it can be decripted.

maybe a random key is a good idea if it can be implemented right..

or maybe a user could tie his computer name/id to the autologin cookie, that way a script could probably read the users computer name which could also be stored in the DB.. if the computer name of the user doesn't match the 1 stored in the DB then autologin will not function, but still would allow the user to login in a single session but not be autologged in, that way it would still allow users to login from another PC and if done on public computers there's no chance of them being auto logged in again.. of course the user should be able to change his computer id via a setting in control panel..