Give a user the option to stay logged in


#1

I thought this would be so straight forward but it does not seem to be.
I want to give users the option when they login to check a checkbox that
will leave them logged in but I can not seem to figure out how.

On top of that I am trying to figure out if it matter what session store
I
am using. Right now I am using active record but I am looking to move
over
to memcache. Does it depend on session store?

I would really appreciate any input I can get on this subject!


John K.
removed_email_address@domain.invalid

Blog: http://www.kopanas.com
Conference: http://www.cusec.net
Twits: http://www.twitter.com/kopanas


#2

On 4 Nov 2008, at 14:53, John K. wrote:

I thought this would be so straight forward but it does not seem to
be.

I want to give users the option when they login to check a checkbox
that will leave them logged in but I can not seem to figure out how.

On top of that I am trying to figure out if it matter what session
store I am using. Right now I am using active record but I am
looking to move over to memcache. Does it depend on session store?

It doesn’t (since the whole point is that you want something that will
outlast the session). Typically one stores a cookie with some sort of
token. Restful authentication does this, you could have a look at the
code in there.

Fred


#3

I want to give users the option when they login to check a checkbox that
will leave them logged in but I can not seem to figure out how.

One note on this: Be aware that by doing this you are leaving your users
more exposed to click-jacking attacks. I, personally, hate when this
option is presented as an opt-out. It’s fine to present the option, but
I recommend making it opt-in not opt-out. I also use an external
password manager and never use the built-in autofill features provided
by most modern browsers (I am using 1Password on my Mac for this, which
I highly recommend to any Mac users out there). I enter my 1Password
into a popup dialog, and not the actual username and password of the
actual site, protecting me from any click-jacking attacks.

John K. wrote:

I thought this would be so straight forward but it does not seem to be.
I want to give users the option when they login to check a checkbox that
will leave them logged in but I can not seem to figure out how.