: Remember me or not? I was told to post this on webmasters instead of stackoverflow. Is it safe to have the remember me feature? Would it be somewhat safe (knowing it won't be 100% safe) to
I was told to post this on webmasters instead of stackoverflow.
Is it safe to have the remember me feature? Would it be somewhat safe (knowing it won't be 100% safe) to allow users to close their browser and come back still logged in? I am not exacting sure which way I should go after reading different things about safety. I learned about session fixation and implemented security to add more protection.
From experience, if remember me is checked then only your username/email appears and requires you to re-enter your password. Other sites allow you to come in and out as much as you way without logging out after the browser has closed.
If it is safe, what is the current best way of implementing remember/stay logged in?
stackoverflow.com/questions/3531377/best-practise-for-remember-me-feature https://stackoverflow.com/questions/5087969/what-is-the-code-for-stay-logged-in-or-remember-me-while-user-login-in-php bytes.com/topic/php/answers/881197-stay-logged-remember-me-php-sessions-cookies security.stackexchange.com/questions/41/good-session-practices
Also: The site I am working on is email & password login type.
More posts by @Connie744
2 Comments
Sorted by latest first Latest Oldest Best
If you allow the "remember me" feature to permit users to be automatically logged in again on their return then you can restrict the access rights of an "auto-logged in" user until they select a 'high risk' option (such as change password / profile information) at which point you prompt for a password to make them a "fully-logged in" user once again.
It is as safe as it seems. If you allow them to stay logged in even after rebooting the browser, then someone can get on the computer after your user and still access everything your user can access. If you are worried about someone using your site inappropriately, then you need to make a lot of adjustments on your end, even with registered users to make it "safe". If you are worried about the users information being compromised (like a little brother getting on Facebook and writing a bunch of stupid stuff) then you need to consider that too. Considering the fact that you should always protect YOUR site from EVERYONE (even registered users) I will assume for the rest of this answer you are thinking about "safe" for the user.
You need to come up with a plan that best suits your users needs. Wikipedia allows you to stay in for 180 days. Some sites never log you out. My bank logs out me after 15 minutes, and my school punts me after 10 minutes EVEN IF I AM WRITING EMAIL!! (so irritating...)
You can design it so that the user can chose from a few options too: stay fully logged in forever; stay logged in for a week/day/session; Keep the username handy but require a password.
There are a lot of options, but you need to find your balance between "safe" and obnoxious...
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.