Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Remember me" functionality #1416

Closed
joekrill opened this issue Jun 12, 2021 · 6 comments
Closed

"Remember me" functionality #1416

joekrill opened this issue Jun 12, 2021 · 6 comments

Comments

@joekrill
Copy link
Contributor

Almost everywhere you login these days has a "remember me" option - when it's checked, a persistent cookie is issued; when it isn't, a session cookie is issued. Is there currently a way to do this with Kratos? Or a plan to implement it? There was previously an issue (#42) about this, but it was closed be - what seems to be - removing any reference to this sort of feature.

@aeneasr
Copy link
Member

aeneasr commented Jun 12, 2021

It was closed because the feature was implemented. You can control this on the system settings level! See the referenced commit :)

Regarding user choice, most systems (Google is one such example) do not provide user choice. Actually most big sites no longer offer user choice. The major problem being that all browsers are handling this a bit different.

Why do you need user choice for this ?

@joekrill
Copy link
Contributor Author

It was closed because the feature was implemented. You can control this on the system settings level! See the referenced commit :)

Well I'd argue that it was closed because it wasn't implemented. :) Or it was removed and/or decided not to implement. That commit introduces a persistent config option that can be set at the system level, but it doesn't "Allow users to decide if they want to stay signed in on this device" (the title of the issue) - there's no way to give the user a choice, as far as I can tell (unless I'm misunderstanding something).

However, you make a really great point in asking "Why do you need user choice for this"! I guess this sort of thing has become a common, de-facto "feature" when logging in, so I've become accustomed to it. But you're absolutely right - it has definitely become less common, and begs the question of whether it should still be done at all. So it sounds to me like best practice is to not offer this functionality anymore at all. And that is the official stance from the Ory/Hydra team? Does that seem accurate? I've been looking for some clear guidance on this and can't seem to find anything definitive. OWASP doesn't seem to address this directly (as far as I can find), unfortunately.

@aeneasr
Copy link
Member

aeneasr commented Jun 14, 2021

Yeah, there isn't clear guidance on this topic and most systems offer MFA these days which is a much more secure way of "staying signed in" (or not) than trusting the user to make the right choice when they click "remember me"��. I also think that most non-technical users don't actually know what this option does as they are not accustomed to the subtle differences between max-age: 0 and max-age: 1234 for chrome, safari, firefox, opera, ie, edge, ...

What I've seen is that, after or during an MFA flow, the user may choose "remember this device" which basically sets a cookie after MFA. That allows users to continue to log in without having to re-enter MFA codes again and again.

@aeneasr
Copy link
Member

aeneasr commented Jun 16, 2021

I would probably close this as a wontfix unless you think this is necessary in some use cases?

@joekrill
Copy link
Contributor Author

I'm sure there's folks that would probably want this feature, but I'm convinced I don't need it.

@aeneasr
Copy link
Member

aeneasr commented Jun 21, 2021

Great, thank you for the feedback. In that case, closing this!

@aeneasr aeneasr closed this as completed Jun 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants