22 Oct
2010
22 Oct
'10
4:46 p.m.
On Fri, Oct 22, 2010 at 12:34 PM, Tres Seaver <tseaver@palladion.com> wrote:
The obvious issue with a beyond-this-session auth cookie is that it enables anybody who can run that browser / profile to authenticate as the user being persisted. I would consider this an unacceptable risk for any site where the authentication was intended for anything more than "keep spambots out" (i.e., you might as well be using OpenID).
Isn't this about the same risk as the browser saving the id/password pair for the site? Certainly on a public or multiuser machine this would not be a good idea and appropriate warnings should be given. (it seems to me that all browsers do this and most users take advantage of this)