How safe is autologin + email hack?

Requested and Answered by Sudhaker on 2005/3/4 21:10:54

How safe is autologin + email hack?

Myths about autologin + email hack

Myth1: It increases server and database load heavily because garbage collector will not be doing clean up. I can't afford it because my concurrent user count is huge.

Fact: It will not increase the load any significantly. Query to xoops_session table will return few extra bytes and 'Who's online' block will pump more uname(s). That's it. Xoops always creates a record for any new sessions (no matter if the session is anonymous or member's). So query count stays same. And we see more realistic information in 'Who's online' block and members can have pleasant browsing. I'm sick of seeing 'no permission' as my session gets expired while typing response (may be I should type fast – hehe).

Myth2: Oooo, is it safe? We can't compromise with security B-).

Fact: It is far safer than storing username/password in the browser. Yes, it is little less safe than normal operation, but eventually it is exactly same logic what cookie based session persistence have. The only difference is – server can release resource as usual but you get a fake feeling of extended session using saved cookies. It will be transparent to end-user as server will create new session without authentication.

Assuming possibility of session hijacking, without this hack you are vulnerable during your current session only. But with this hack the period is extended till auto-login is valid. Big vendors like gMail (2 weeks), Yahoo Mail (24 hours) also use similar mechanism with similar risks.

Myth3: Cookies are saved on user's computer. We lost the control.

Fact: Site admin can invalidate all (or some) saved auto-login. Clear up actkey column in xoops_users table, done. Those save cookie is trash now.

Myth4: You guys are great, doing awesome things.

Fact: The actual credit should go to Xoops team and GIJOE, they have done great work. We are just tweaking the application to satisfy our personal urge and need. Sometime hacks are worth sharing in the community. So we came up aboard.

I wish, I could get more free time and opportunity to contribute more

You can get it here

and


I'll not advocate this hack to any critical site dealing with big $$$. But now many of us have critical site, so IMHO this hack is a MUST HAVE for most of people .

I also request Xoops core team to consider merging this into main distribution. Ideally, a site parameter (entry in table xoops_config or mainfile.php) can be used to enable and disable the feature and parameters.


This Q&A was found on XOOPS Web Application System :