[Catalyst] Remember Me?

[Carl Franks]

On 11/12/2007, Bill Moseley <moseley at hank.org> wrote:
> What's the current thinking about those "remember me" checkboxes on
> login forms that basically allow users to return to the site and
> automatically log in?

I think first, you have to make a judgement about the value of the
data / functionality you're offering.

I really like the amazon model, but it's not going to be suitable for
every application.
With amazon, when you login it implicitly does a "remember me", so
that if you close the browser, and come back later, it knows who you
are and you can add / remove things from your basket.
However, if you want to do anything more than manage your basket, it
switches to SSL and requires your username / password. I'm not sure if
at this stage, it uses a session cookie, or just a short-term cookie.
Overall, this works very well.
I'm not bothered if someone comes along after me and can see what's in
my basket. If I were on a public machine, I know to logout manually.

I do value being given the choice, when it's appropriate that I can
decide for myself.
I would never expect my bank's website to offer a 'remember me', and I
would never allow my browser to remember the credentials for me.
On my laptop at home, I use gmail's and use.perl's 'remember me',
because I hit them both so often. For everything else, I let the
browser remember the credentials for me.
On my work machine, I only use use.perl's 'remember me' because it's
very 'low value' , and only let the browser remember the credentials
for work-related websites.

I suppose my summary would be: if it's not high value data, provide a
'remember me'.
If the content / functionality changes much depending on if you're
logged in, provide a 'remember me'.
Give the user the choice to work the way they want to work.

...just my 2 cents

Carl