How can any kind of reasonable security and the 'keep me logged in on this computer' checkbox be compatible?
You've seen it everywhere, but let's take gamedev as an example. You create your account with your name and password and such. Then you log into the site. And if you're like me you also click that "keep me logged in on this computer" checkbox so that you don't have to futz around with passwords again.
This is, obviously, done with a browser cookie that stores enough information to get you logged in. The question is, how can this be done in a manner that's even somewhat secure? The simplest solution, storing the name and password as plaintext in the cookie, is obviously flawed. However, even if I mashed the username and password together and did some kind of hash that I could then compare against a similar hash on the server, all that does is prevent someone from retrieving the username and password by reading the cookie -- it doesn't prevent someone from duplicating the cookie on another machine and logging in.
Is this just a necessary evil of the 'keep me logged in on this computer' checkbox, or is there something I'm missing.
I'm just wondering this because my games will work similarly to that. You'll create your account, then the first time you start a daily puzzle, it'll ask for your username and password. You'll then have a checkbox just like that, and if you check it you'll be automatically logged in for any games you play on the machine, and it'll be done by exactly the same method that the games currently remember your name and volume settings - by Flash Shared Objects (aka Flash Cookies). Flash Cookies are very similar to standard browser cookies (search your hard drive for .SOL files and you'll find 'em), and they're about as easy to read with simple freeware tools.
So I figured I'd stand on the shoulders of giants and ask what's the method to store a secure 'keep me logged in on this computer' cookie.
And if there ain't one, as appears to be the case, say "there ain't one".
If you feel the "stolen cookie" scenario is a problem (which I don't think it is, really), you could have the GUID change every login. This leaves a limited time frame for using that GUID (until the next login). If you require the password to change to a new one (which you should, since the duplicator doesn't know it in any case), then the real user will just fail to login, which would require his user&pass, and then invalidate the last GUID the duplicator has and give the real user a valid GUID.
This would limit any damage a duplicator could inflict to one login. Can't think of a much better solution than that :).