"keep connected" / "remind me" option in login screens

6

I'm implementing a login screen and my client asked to add a "Keep Connected" checkbox below the login credentials.

Ok, adding is easy.

But what is the correct behavior for this functionality?

Is there any default behavior for these cases? Or will I get up with the client how he wants this functionality to work?

    
asked by anonymous 06.09.2015 / 06:15

1 answer

6

How this option works (in general)

The behavior may vary, but it is usually associated with the client not having to log in to the site every time the session expires or the browser closes.

This is common on many websites, preventing you from logging into dozens of accounts for various services (email, social networking, etc.) every time you turn on your computer or after some time when the session expires.

What you should generally do is to save a random secret code in a persistent cookie after the first login, also saving the hash of that cookie in your database. If a user accesses the site without being logged in, but has a valid code, then it is assumed to be the same user returning to the site and you authenticate automatically.

Security

Well, of course not everything is that simple. Security becomes a serious problem in these cases. How can someone not simply steal the user's cookie and pass it on?

There are several techniques to mitigate this, but nothing 100% sure. I will not go into implementation details. There is an example here if you want to see. Let's look at some high-level precautions:

  • Do not allow the authenticated user to automatically perform destructive or privileged actions without authenticating. Many sites do this, it's as if the same user had two types of access. With automatic authentication it can only view data or perform basic actions. If he wants to, for example, change the password or make a payment, then the password is always required again.

  • Require the password regularly. Some systems do not "remember" forever. Evernote, for example, has the option to remember the user for 14 days. Authenticating again once every one or two weeks is an interesting way to do this always or just once .

  • Trade with the customer

    The client is usually not the best person to decide on all the details when it comes to security.

    I mean, he's the one who will decide at the end, but once someone understands what he's doing, explain to him the implications of each decision, as well as the cost of them.

    An interesting approach is:

    • Explain to the customer the possible risks of "keeping connected"
    • Propose the media you intend to use to mitigate each one
    • Show the impact on cost, as this is not something that should simply be done anyway
    07.09.2015 / 11:58