Keep me log in

Torsten_Grube · March 21, 2014, 8:18am

Hello Community,

i like to implement “keep me log in” - functionality for our website, so that the user doesn’t have to enter a password if he or she did it once.

Can anybody give me a tip to solve this or is there any example available? This forum has also this functionality and it works fine.

Thank you in advance, Torsten

Ian_Jones · March 21, 2014, 10:26am

Something that worked for me was to create a tokens table where I stored a token string and date/time for the user id when they successfully logged in with their user name and password. The token for this prototype app was just the Session.Identifier, but you should really generate something by hashing on username and dates or some other data.

That token and some minimal info was then saved in a Cookie. When the user came back the session would look at the cookie, check that the token and other data matched one of the tokens in the db, updated the expiry date on the token to give it a bit longer to live (e.g. 2 weeks from current date) and saved that back to the db and cookie. There was also a cookie value for “remember me” so that the user could opt out of logging in automatically, well, actually they had to opt in by checking a checkbox.

When a user logged in successfully (whether automatically or via password) all tokens for the user were checked and any expired ones deleted to keep the table trim.

Hope that helps.

Ian_Jones · March 21, 2014, 10:27am

Oh, and when the user explicitly logged out of a session the associated token was deleted.

Thom_McGrath · March 21, 2014, 10:51am

Everything you need to know:

http://thezaz.com/blog/2013/03/persistent_login_cookies.html

Short version: if you’re not using SSL, don’t do it. If you are, it’s pretty simple. Persistent login tokens are password equivalent, so they must be treated with the same care you’d give the user’s password.

Torsten_Grube · March 26, 2014, 6:22pm

Thank you both. May be I will use cookies.

I think most of the browsers supports saving log in data. For example if I log in to a webmailer, the browser (e.g. Safari) ask me to store the user data and password. The browser must identify the log in dialog. Do you know how the browser identify this and it is possible to implement it in a xojo web app?

Ian_Jones · March 27, 2014, 12:20am

If you want to just let users use the browser’s built in saving of form data, just make sure to use Text Fields or Password Fields as appropriate, Xojo renders these as native fields that the browser recognises and may prompt the user to save data from.

The thing is, lots of people turn that feature off, I do. However, I do use 1Password instead which will work as expected too.

Robert_Bednar · March 27, 2014, 4:18am

Our office is “filling up” with Web Apps…all of which generally require a login…which calls our active directory service to authenticate the individual. It’s not so much for “security” as it is to know “who” created records in a database…or to show “that person” their workload. etc. We are looking at SSO (Single Sign On) options. It seems for the moment the path is to use their Active directory credentials used to sign into the workstation. I realize the answer will no doubt be different for each platform and possibly browser. I think MS IE has access to the system login credentials (where Chrome / Safari / Firefox may not. Has anyone tried to pass system login credentials to a web app? Any tips for doing so? (Sorry about my crappy non-gravatar avi — I’m working on it.)

Peter_Truskier · March 27, 2014, 5:56am

Really? It certainly doesn’t for me, and I think Thom posted a thorough explanation of why not, including the url he referenced above, some time ago.