[Catalyst] Remember Me?
Peter Edwards
peter at dragonstaff.com
Tue Dec 11 08:08:26 GMT 2007
From: Bill Moseley [mailto:moseley at hank.org]
>What's the current thinking about those "remember me" checkboxes on
>login forms that basically allow users to return to the site and
>automatically log in?
For private business apps in the past I've persisted the session cookie and
updated the "last action time" on each validated screen load. When that
times out (between 5 and 30 minutes of inactivity) the credentials are
dropped and they get a login screen. I also tied the cookie to a specific
TCP/IP source address. You can spoof that but it's one more hurdle.
For a public web app the most common behaviour I've noticed is that
"remember me" gives you access to the site as the user but that each time
you enter a critical section (e.g. to confirm payment) you are re-prompted
for your password and I presume either timed access or a separate short term
auth cookie holding one-time transaction numbers for each step is used for
that section. I guess this is mainly to avoid script-based browser hijacking
but also to avoid captured cookie replay attacks.
Regards, Peter
More information about the Catalyst
mailing list