Remember Me - Notes
Improved Persistent Login Cookie Best Practice
You could use this strategy described here as best practice:
- When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.
- The login cookie contains the user's username, a series identifier, and a token. The series and token are unguessable random numbers from a suitably large space. All three are stored together in a database table.
- When a non-logged-in user visits the site and presents a login cookie, the username, series, and token are looked up in the database.
- If the triplet is present, the user is considered authenticated. The used token is removedfrom the database. A new token is generated, stored in database with the username and the same series identifier, and a new login cookie containing all three is issued to the user.
- If the username and series are present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.
- If the username and series are not present, the login cookie is ignored.
What is remember me login?
We provide this option to keep you from having to enter your user name and password every time you return. We’ve added this feature solely for your benefit, to save you time and to keep you from having to remember yet another password!
What happens if I click the “Remember Me” box?
By checking this box, you’ll stay logged in for up to 2 weeks or until you logged out.
If you check the “remember me” box, we’ll put a small cookie on your computer that will let us know who you are next time you login again. Each time you return to the admin panel, you will be logged in automatically. (If you use a different computer, you will need to log in again.) This cookie does nothing more than “remember” you to the website.
What if I share my computer with others?
If other people use your PC, you may not want to use “remember me” . If you do, then they will automatically be logged in to all of your blog admin panel. In this case, you may prefer simply to log in at each visit.
What happens if I do not check the Remember Me box?
If you do not check the box, we won’t put a cookie on your PC. However, the next time you visit you will need to enter your login name and password again.