Implement a “remember me” checkbox? #33
Comments
|
I have this on my own site now too. It shows a button instead of the password field if I'm already logged in (taken the idea from Aaron). Also to think about: remember an app. |
|
The problem with adding a session is already that we lose statelessness (which we have right now, even for the CSRF). Remembering an app – if you want to remember it over several sessions – requires not only introducing a session but also some server-side data storage. |
|
You can always store things in the network. You can implement sessions without any server-side storage by using an encrypted cookie to store things. You could even remember an app by storing that state in a cookie. |
For some reason I always forget about cookies. Yes, that would definitely work. Though I’m unsure about the max size of a cookie these days… important if you want to store remembered apps. (Although with the handful of apps available today that shouldn’t be a problem.) |
|
Yeah max cookie length is a consideration but there's ways around that too. Use a cookie name that includes the key of what you're storing so you'd end up with a bunch of cookies. (E.g. |
I was just thinking about this re: UX. I use a password manager so my login is always only one keyboard shortcut away, but for many people switching to selfauth means they have to keep entering their password again and again.
This is also not something they would need to do with RelMeAuth, as they are likely already logged in to the silos they use.
Should we consider a “remember password” checkbox and then create a session to keep the user “logged in”? This would simply remove the password box and after form submit check the session instead of a sent password.
The text was updated successfully, but these errors were encountered: