42
Quote:
Just curious where you get this auto login module i never actually used it as i heard many things about it had security flaws and could enable a user to take over ur site is this been fixed suppose it would have by now.
I think we've already discussed this in a couple of other threads
. Auto-login FUNDAMENTALLY (not just with Xoops) carries some security risk. For example if someone else uses your computer and you forget to log out, then they will have your privileges on an XOOPS site. Another risk is that cookies can be "stolen" via e.g. javascript techniques (if any modules or blocks with XSS vulnerabilities are installed), and the 'thief' can then log on as the person from which the cookie is stolen. Generally, it is advised NOT to select "remember me" if you are an administrator/moderator/privileged user.
The "remember me" feature is INHERENTLY risky. As a webmaster, you weigh the risks:
- how likely is your site to be victim of attack?
- how sensitive is your data?
- how valuable is your data to you? Do you make regular backups?
- can your admins be trusted to NOT use auto-login?
- how important is it to your users to support this feature?
- many many sites offer this feature without incident
- etc.