Smallthoughts

Thoughts on Smalltalk

Auto-login

You may allow your user to specify that they be logged in automatically when they return to your site. This is accomplished by defining cookies that contain the user's base64 encoded username and an encrypted copy of their password.

Even though the password cookie content is encrypted, use of this feature presents a serious security risk. Consider allowing it only over secure (TLS/SSL) sessions or only when revealing the user's content to unauthorized users is not a problem.

Note that the TFLoginComponent>>#logout method clears the password cookie. Otherwise users with auto-login would be automatically logged in immediately after logout and would have no opportunity to change their auto-login setting. In general, users who have specified auto-login should not logout if they wish to be logged in automatically when they return.

Tests
Integrating TFLogin with your application
Ajax
User administration
Deleting user accounts
Login filter
Managing failed login attempts
Auto-login
Using email confirmation
New user initialization
Appearance
Persistence
TLCachingFileStorageAdaptor
Application Properties
Reinitialization
New password validation
Logging out
Powered by Pier