Joomla "remember me" security risk - joomla

The default behavior of the Joomla 2.5 "Remember me" checkbox during login is to store a session cookie for 1 year.
I've come across this discussion of it being insecure. Is this the case with Joomla 2.5?
What are the best practices with this if it is insecure?

Related

Permament cookies in Phoenix Framework

I want to implement a typical "Remember me" functionality on my site which requires a way to create cookies that expire in some far away future. Is there a way to create those in Phoenix Framework?
Just give the cookie a really high :max_age value:
http://hexdocs.pm/plug/Plug.Conn.html#put_resp_cookie/4

codeigniter auto login in with session, is it secure?

I have a website where the user can check a checkbox: Remember me. By checking this checkbox it will ensure that the session cookie will have an expire time of 2 weeks.
If the same user next day goes to the site he must automatically be logged in.
I can do this by putting in the constructor of the main controller an isset(session->userdata['username']), and if its set then that user will be logged in.
But my question is, will this be secure? Can't another person just make a custom cookie with a username(which he knows) and it will automatically logs him in?
I hope to get some input from you guys:) thank you.
There is no quick and easy answer. Take a look at these links which covers a lot regarding login best practices (including "remember me" option):
What is the best way to implement "remember me" for a website?
http://jaspan.com/improved_persistent_login_cookie_best_practice
http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/
The definitive guide to form-based website authentication

How to administratively invalidate a session that used "Remember Me" option?

I'm using Symfony 2.1.6 and PdoSessionStorage. I'm trying to add the same functionality that Facebook has to my application where you can show a user all the active sessions they have with the website (showing device type and location based on IP) and allow them to end any session if it looks suspicious.
Deleting the record from the PdoSessionStorage table doesn't work as the record is re-created automatically by Symfony again as soon as I perform activity again in that session (instead of Symfony detecting that the session was already removed and thus forcing the user to re-authenticate).
Is there any option to force a session that used "Remember Me" to re-authenticate with the system?
Thanks for any help.

Automatic Login with Janrain/OneAll/LoginRadius etc

I am planning to allow users to login to a website I am developing using their social network logins. Probably using one of the multi-provider services such as Janrain, OneAll, LoginRadius. What I want to know is, if a user of my site is already logged into their social network site when they visit my site, how do I go about automatically signing them in? The example I have come across that does this is goodreads.com.
I've developing in ASP.NET MVC3 but I would welcome any explanations/examples on how I go about this in any technology or even just the theory.
I'm working at OneAll and I'm glad to answer your question.
After a user has logged in with Social Login, you create a new account in your database, you log the user in and you set a cookie.
When the same user comes back in a couple of days, you detect that he has a cookie and you use the cookie information to automatically log him him and you refresh the cookie.

Disable User Auto Timeout - Joomla 1.5

I wanted to disable user auto timeout session for joomla (I am using joomla 1.5), so the user login to my site will stay forever without being kicked out by auto timeout. How to achieve that? Please help.
Thank you.
It's a setting in the login module. If you enable the "Remember Me" option, users will not be logged out unless they click the logout button. You can also modify the form so that the Remember Me option is a hidden field rather than a checkbox to default all users to stay logged in all the time.

Resources