[thelist] Remember Me? Still useful?

Bill Moseley moseley at hank.org
Mon Dec 10 12:43:21 CST 2007


I'm wondering if the old "remember me" checkbox on logins has
an use any more with browsers able to remember forms.  Specifically,
if the added convenience of not having to click the login button on a
pre-filled login form is worth the extra loss of security by allowing
cookies to automatically log users in.

There's this discussion on how to possibly detect when an attacker
tries to use a stolen cookie:

http://jaspan.com/improved_persistent_login_cookie_best_practice

Granted, if the cookies are only set and read over SSL then you can
assume that if they are stolen it would then be just as possible to
steal any browser-saved form data as well.

I'm not sure that the "remember me" feature adds that much
functionality that it's worth the extra work implementing (do
existing login cookies get invalidated on password changes?) and
potential reduced security.  Is removing a single click for their
entire session that big of a deal?

That link above is about how to detect break-in attempts, really --
and then displaying it to the user.  So, this breaks my rules about
1) not asking for things on forms that is not absolutely needed to
function (username/password is all that's needed) and 2) displaying
somewhat cryptic error messages that the user may not know how to deal
with.



-- 
Bill Moseley
moseley at hank.org




More information about the thelist mailing list