I am implementing remember me functionality to login. I used jquery as following code but big disadvantage from that code as I mentioned below code snippet, Plaintext password storing into browser, Its not secure can any one tell me how to implement safe and secure remember me
$("#login_form").ready(function() {
$('#username').val($.cookie('username')).change();
$('#password').val($.cookie('password')).change();
//alert($('#password').val($.cookie('password')).change());
$('#remember').click(function()
{
var username = $('#username').val();
var password = $('#password').val();
// set cookies to expire in 30 days
$.cookie('username', username, { expires: 30 });
$.cookie('password', password, { expires: 30 });
});
});
The way to do this is to make a random ( psudo random ) key and not expose any user information such as a password or login. You can make a easy key for this using
sha1($login.mirotime().rand(0,10000));
And a simple table to create a relationship back to the user account. If you use just the login, then I could easily create a cookie and hack your user accounts. If you expose the password, same deal. If you encrypt the password it would need to be 2 way encryption. Which is about the weakest type of encryption, and the complexity in doing that right makes it about the same effort as making a simply random key and a table to use. Not to mention you can put an expire field in the table, and / or use it for lost password resets once properly setup.
This is what I typically refer to as a passport. Another thing you can setup some brute force protection and delay attempts to guess a keys. Typically this could be done by tracking attempts and ip addresses and then delaying them after so many failed attempts ( that is a bit outside the scope of this answer though ) .