http://www.drupal-check.org/check/62 en http://www.drupal-check.org/node/82 <p>By default Drupal will keep people logged in for 23 days (2000000 seconds) by saving a cookie in their browser. This is nice, but a potential security problem if people are using the site from shared computers.</p> <p>Consider editing the site's settings.php to have </p> <p><div class="geshifilter"><div class="php geshifilter-php" style="font-family:monospace;"><span style="color: #990000;">ini_set</span><span style="color: #009900;">&#40;</span><span style="color: #0000ff;">'session.cookie_lifetime'</span><span style="color: #339933;">,</span> &nbsp;0<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span></div></div></p> <p>instead of the default</p> <p><div class="geshifilter"><div class="php geshifilter-php" style="font-family:monospace;"><span style="color: #990000;">ini_set</span><span style="color: #009900;">&#40;</span><span style="color: #0000ff;">'session.cookie_lifetime'</span><span style="color: #339933;">,</span> 2000000<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span></div></div></p> <p>With the former, the user's login will be forgotten when they close their browser window, even if they forget to log out explicitly.</p> Going live cookies login security Drupal 5.x Drupal 6.x Mon, 28 Sep 2009 21:23:43 +0000 Fonant 82 at http://www.drupal-check.org