6
I am implementing a login screen and my client asked to add a checkbox "Keep logged in" below the login credentials.
Okay, adding is easy.
But what is the correct behavior for this feature?
Is there any standard behavior for these cases? Or should I raise with the customer how he wants this functionality to work?
8
Behavior may vary, but is usually associated with the client nay need to log in to the site every time the session expires or it closes the browser.
This is common on various websites, avoiding that you need to log into dozens of accounts of various services (email, social networks, etc.) each time you turn on your computer or after some time the session expires.
What this option should usually do is to save a random secret code to a persistent cookie after the first login, also saving the hash of that cookie in your database. If a user accesses the site without being logged in but has a valid code, then it is considered that it is the same user returning to the site and you automatically authenticate it.
Well, of course, not everything is that simple. Security becomes a serious problem in these cases. How to make someone not simply steal the user’s cookie and impersonate it?
There are several techniques to mitigate this, but nothing 100% secure. I won’t go into implementation details. There is an example here if you want to see. Let’s see some precautions at a high level:
Just save the hash of the secret code in the database, the same way you do with passwords, so if someone has access to the BD they can’t get the original code.
Do not allow the authenticated user to automatically perform destructive or privileged actions without authenticating. Many websites do this, it’s as if the same user has two types of access. With automatic authentication it can only see the data or perform basic actions. If he wants, for example, to change the password or make a payment, then the password is always required again.
Require the password regularly. Some systems don’t "remember" forever. Evernote, for example, has the option to remember the user for 14 days. Re-authenticating once every week or two is an interesting middle ground between doing this at all times or only once.
The customer is usually not the best person to decide on all the details when talking about security.
I mean, he’s the one who’s going to decide in the end, but after someone who understands what he’s doing explains to him the implications of every decision, as well as the cost theirs.
An interesting approach is:
Browser other questions tagged html session cookies login
You are not signed in. Login or sign up in order to post.
fantastic explanation!!! In the application I am doing the token authentication control, at the time the authentic user I Gero a token that expires in 360 seconds, I will also a refresh token (I do not remember the expiration time), on top of your explanation I will save the refresh token in cookies, if the user selects the "remember me" option. What do you think?
– fabiohbarbosa
@Fabio Seems a reasonable solution.
– utluiz