How can any kind of reasonable security and the 'keep me logged in on this computer' checkbox be compatible?
You've seen it everywhere, but let's take gamedev as an example. You create your account with your name and password and such. Then you log into the site. And if you're like me you also click that "keep me logged in on this computer" checkbox so that you don't have to futz around with passwords again.
This is, obviously, done with a browser cookie that stores enough information to get you logged in. The question is, how can this be done in a manner that's even somewhat secure? The simplest solution, storing the name and password as plaintext in the cookie, is obviously flawed. However, even if I mashed the username and password together and did some kind of hash that I could then compare against a similar hash on the server, all that does is prevent someone from retrieving the username and password by reading the cookie -- it doesn't prevent someone from duplicating the cookie on another machine and logging in.
Is this just a necessary evil of the 'keep me logged in on this computer' checkbox, or is there something I'm missing.
I'm just wondering this because my games will work similarly to that. You'll create your account, then the first time you start a daily puzzle, it'll ask for your username and password. You'll then have a checkbox just like that, and if you check it you'll be automatically logged in for any games you play on the machine, and it'll be done by exactly the same method that the games currently remember your name and volume settings - by Flash Shared Objects (aka Flash Cookies). Flash Cookies are very similar to standard browser cookies (search your hard drive for .SOL files and you'll find 'em), and they're about as easy to read with simple freeware tools.
So I figured I'd stand on the shoulders of giants and ask what's the method to store a secure 'keep me logged in on this computer' cookie.
And if there ain't one, as appears to be the case, say "there ain't one".