[Catalyst] Remember Me?

Bill Moseley moseley at hank.org
Tue Dec 11 15:13:04 GMT 2007 

On Tue, Dec 11, 2007 at 07:50:11AM +0000, Carl Franks wrote:
> I think first, you have to make a judgement about the value of the
> data / functionality you're offering.

Yes, indeed, and I left that out of my question.

I agree with what you and Peter said about the Amazon model.  It's
convenient and seems to work well.  Yahoo implements something similar
although they seem to ask for the password more often.

I'm less convinced of that model with an application that might
contain all user-generated (private) data and where using the
application might incur charges to the user.

Perhaps moving to all SSL pages for the content part of that kind of
site would at least ensure that the cookies are not hijacked.   That
would at least bring it up to the level of the login screen since the
credentials (username/password or cookie) would be over an encrypted
connection.  But, sill doesn't protect against, say, a co-worker using
that machine.

> I'm not bothered if someone comes along after me and can see what's in
> my basket. If I were on a public machine, I know to logout manually.

What does "logout" do with respect to the "remember me" state?  Should
it remove just that machine's "remember me" cookie (and server-side
token) or all of the user's state (as when they used multiple
browsers/machines to log in)?


I log into to many places where the data isn't very important so have
become used to letting the browser remember my credentials.  So, that
extra step of clicking the login button doesn't feel inconvenient.
Others are probably more used to a "remember me" feature.  I prefer to
keep manage my own credential store, but  I suppose it depends where you
consider the greater threat -- hijacking in route cookies vs. physical
access to the computer.

It's nice when a level of security can be moved to a layer above the
application -- less code to be insecure in the application. ;)  That's
kind of what using the browser to remember form data does.

Thanks for the feedback.


-- 
Bill Moseley
moseley at hank.org

More information about the Catalyst mailing list