I don't know whether I could ask this question or even whether this question is dumb!

I am a member of Ubuntuforums.org and LinuxQuestions.org. While the former doesn't remember me once I restart my computer, the latter does! I know this is something similar to 'keep me signed in unless I sign out' in Yahoo!.

But I am sort of curious to know how this is achieved!

Could anyone help me in understanding this?

It is done via a cookie (or actually several). These are small text files stored on your PC, that contain data used by websites. As well as their text content - which might be a userid, or hashed (encrypted) password - they also have an expiry date. Assuming you haven't set any other preferences in your browser, this expiry date can either be at the end of the session, or a particular date.

If you are using Firefox, you can view your cookies by selecting Edit > Preferences > Privacy, and clicking "show cookies". You should find an entry in the list for linuxquestions.org - expand this, and take a look.

I have (among others):

• bbpassword - contains my hashed password - expires 26/07/2009
• bbuserid - contains a numeric id (not my username) - expires 26/07/2009
• bbsessionhash - contains my current sessionid - expires at end of session

Cookies can be helpful, but there are also privacy issues (for instance, marketing companies can use "tracker cookies" to monitor your web activity). Firefox allows you to block cookies from particular domains (I have it ask me for each cookie, and block all from *.2o7.net, *.doubleclick.net, etc) or to set cookies to expire at the end of the session, whatever the expiry date.

See HowStuffWorks for more.

Rob

also your login info as he said (robhogg)since being stored in a cookie is only on the pc you logged in with, so it wont be there when you try to log in with another computer...plus your browser must support it as some do not.

Thank you very much Robhogg and esm_menc. Those were great explanations.

Hi Robhogg and esm_menc,

I had another question on this issue, while I was sitting in a Biophysics class. [I find a lot of similarity between how we guys code and how DNA replication in our body is carefully, proofread :P ]

Given that our cookies are stored as small data files in our computer, can't we hack somebody's password by finding these data files? Obviously this can't be that easy else no one would want them.

Can you enlighten us more ?

Not easy, in fact it's hard! The password is hashed using a cryptographic function. Although not unbreakable, if a good-enough algorithm is used there's no way of cracking it beyond brute-force. It is possible to find "collisions" where more than one "plaintext" hashes to the same value, and with some functions this has become too easy to be really secure. The LQ password hash is 32 hex characters, 128 bits (so possibly is MD5).

Of course for a site like LQ which allows you to stay fully logged in, often there would be no need to crack the password - just get at my PC, and you will be able to post as me (though would need the password to change some details). Sites where more is at stake should certainly not be storing passwords on the PC, encrypted or not. I have far fewer cookies stored from Amazon or my bank than from LQ, and none of them look like a password.

There will be utilities on your system to calculate these hashes, if you want to experiment with them: