How do i allow a returning user to log in automatically to my web app?
I would also like to be able to disable the function from the server so next time they login it requires a password.
Im assuming its to do with a cookie, but i don’t want to be storing passwords in there and i would like to ensure the login is secure
so whats the best way t o do this?
You should also set an expiery date on the cookie that isn’t too long.
Remember that a “Remember me” feature is in itself a security lowering feature. Only implement it if you really need to and make sure you use SSL(https) for your app
in my web starter kit I create on each successful login an UUID. This UUID is stored in cookie for next automatic login.
The cookie has an expiration date and when you login on another computer, the old UUID turns invalid as a new one is created.
well, i’m playing around with this. i like the idea of storing the token in the cookie and using that as a key on a table to allow that user from that IP.
mostly this is intranet based and i’m checking the ip address and username to see if they are allowed to connect. if they have the token then i can pass them through, and i can have a timer that weeds out tokens after a period of time. if they login from the same pc then i will reset the last access time so that its only if they don’t return for a day or two i remove the auto logon
Another thing that is rather handy is to note in your access logs the method of login: username/password, RSA Key, remember me token… That way when a user claims not to have accessed the system at a certain time you can check to see if the user was using the remember me function and left their workstation open to everyone.
It may be worth to have a table of those keys, so you can later check them and keep status.
Like having several tokens for several PCs.
And a record with last used IP and time stamps for creation/last use.