If a site uses a persistent login feature that's set up according to the best practices defined here, are there any potential security issues with dropping the persistent login cookie right at the account creation step? (Immediately upon validating the new account data on the server.) The site does not require that users verify new accounts via an e-mailed link.
views:
68answers:
3
+1
A:
I don't see why not - the user just entered their password, after all, you're not gaining anything by asking for it again.
bdonlan
2009-07-29 17:02:00
+1
A:
So long as the cookie you're giving them once they've signed up is new, that's fine. I suspect it's rare since most places do email validation.
Draemon
2009-07-29 17:24:26
+1
A:
If this suits your needs, then there would be no technical reason to prevent you from dropping a persistent cookie. There is an assumption that you are wanting to do this to keep the user logged in between browser restarts etc.
Just do this with caution, on the t'internet the whole account activation without some kind of validation/confirmation is open to exploits - so as long as you have weighed those risks up then I see no problem.
David Christiansen
2009-07-29 18:07:12