Improving Drupal user login security practices

CMS: Drupal

not scheduled

Description:

Most Drupal-based sites use password-based authentication. This session will discuss and design proposals for improving the current practices. Current ideas include:

• Abandoning long-life PHP session cookies
• Best practices for persistent login (a.k.a. "Remember Me") cookies
• Not distributing initial account passwords via email
• Supporting required instead of optional password changes
• How SSL support should be integrated and configured
• Preventing hijacking of mixed plaintext/SSL sessions

I'm open to expanding this session to include non-password authentication mechanisms such as OpenID, LDAP, Kerberos, etc. and/or the application of these ideas to non-Drupal CMS's.

Lead by: