#873 Allow persistent "Remember me" session for Admins

[John Chastain]

While I understand the motivation behind requiring admins to perform an actual log-in to make changes, and while that likely makes sense for fairly static sites, it is a pain while performing significant data updates. Why not allow the site administrator to make the decision of whether or not persistent sessions should be allow for administrators or others allowed to make edits?

I would VERY much like to have the option to allow me to maintain a persistent session so that I never have to log back in to my site as the admin. It remembers me, but it still continues to require me to log in and I believe I should have the ability to turn off that feature and allow it to remember me.

[Julio Sánchez Fernández]

Logged In: YES
user_id=45958
Originator: NO

It seems to me that the current implementation is very insecure. The cookie contains just the user id, so it can be trivially replaced by anything else. If you allow Remember Me, anyone can impersonate to some extent any user, even if they have no legitimate account of their own. The impact of this varies depending on what are you authentication expectations.

What would be needed would be something in the line of:

- On initial install, generate a random value sufficiently long and remember it for the future somewhere
- On "Remember me" login, hash the concatenation of username, the time and the random value
- Set the cookie to some concatenation of username, time and hash. Do *not* include the random value

On session start:

- Read the cookie
- Compute the hash and compare with that in the cookie
- Verify the time in the cookie to check it is not too old (do not trust the expire time in the cookie)
- If verification succeeds, accept as logged-on

Better schemes are possible (for instance, the HMAC construction may be better).