Generated May-06 15:17:20 GMT

You are not logged in.

Name: Password:

Or: Recover Account (Forgotten Password) / Register new user / Re-send validation email / Main Page


Website Discussion, Bug Reports and Abuse Reports

Increase login session time

This thread is open.

Posted by D6Veteran 2011-02-11 14:33:20 GMT

Gmail, Netflix, Flickr . . . they all leave you logged in for days. I would expect the same for orderofthehammer. As it is now I have to log in several times a day.

Posted by Hammerite This user is an administrator. 2011-02-11 20:15:22 GMT

I think those services probably don't leave you logged in for days on the same session - more likely, they use cookies to make sure the user automatically logs in when they revisit ("persistent login"). I do want to add this feature and it is on my to-do list, but it will be a while before I can get around to it. The main difficulty being that I am not sure what possible security pitfalls exist and I want to make sure not to do a hack job of it. In the meantime, I'm afraid I'm not going to lengthen the session timeout from its current value of 3 hours.

Posted by Redessa 2011-03-16 22:09:55 GMT

I'd like to see this too please. It should be simple to implement - a global handler for every page that will authenticate using cookie if not logged in and cookie is supplied. Set the cookie from the login page with a "remember me on this computer" checkbox.

So long as you don't store the user ID and login in the cookie, it'll be perfectly safe. A SHA1 hash generated from the username and password would be perfectly secure and nigh on uncrackable. Cookies can always be stolen (just as a password can). Generating a cookie from hashed password means any stolen cookies would then be invalidated on a password change. You can protect against stolen cookies by including the browser's IP address in the hash, so the cookie is valid for that user on that machine only.

It's fairly academic about security anyway, as the current login form transmits the username and password over open HTTP, so they could be readily intercepted. If you're that worried about security make the login use HTTPS to encrypt the password.

Anyway, the only data that could be compromised is my email address. The rest seems to be publicly available on the site.

Posted by astrostl 2013-07-03 15:32:37 GMT

Major +1 here. Only true grievance with the site, which I generally love. I would check, "keep me logged in" even if it had a, "this is a massive security risk for your account" warning - even though I don't think standard cookie usage would rate to be one. It is just a game :) Thanks for considering the feature.

You must log on in order to post messages.

Click here to return to the Board Page, or here to return to the Main Page.