The Bitrix Site Manager software implements a mechanism enabling users to preserve authorization in the browser and computer from which they visit the site after the first login. It is intended for easier handling of the site and forums, e-store orders, as well as simplifying working with dealer sections and other private site sections.
This mechanism can be enabled or disabled in the “System settings -> Settings -> Kernel module settings”, variable “Allow authorization caching”. The default value is “allow”.
If the authorization preserving is allowed in the system settings, the user is offered to check the option “Remember me on this computer” when authorizing. In this case, after the successful authorization the system calculates the hash value unique for both this user and this site, stores the calculated value in the server database, and transfers it to the user in the form of cookie. Note that this variable contains neither username nor password and cannot be used to restore the initial information.
When logging in the site with the credentials hash stored in cookie and the authorization preserving allowed, the system checks a variable calculated during the last authorization and stored in cookie on client side. In case of match, a user is automatically authorized without entering the username and password.
It is important to consider that a user can preserve the authorization not only on his computer but also in an internet café or a club, and in this case, another visitor theoretically can obtain access to the user personal data.
The authorization preserving function is very convenient for users and simplifies work with the site. However, if you develop sites with highly confidential information it is recommended to disable the authorization preserving or thoroughly inform users how to use this possibility safety for them and for the project.
To ensure the required level of security when using the external authorization mechanism or the module “ActiveDirectory/LDAP Integration”, the authorization of external users from other applications is not stored irrespective of the kernel module settings.
