"Remember me" functionality #1416
Comments
|
It was closed because the feature was implemented. You can control this on the system settings level! See the referenced commit :) Regarding user choice, most systems (Google is one such example) do not provide user choice. Actually most big sites no longer offer user choice. The major problem being that all browsers are handling this a bit different. Why do you need user choice for this ? |
Well I'd argue that it was closed because it wasn't implemented. :) Or it was removed and/or decided not to implement. That commit introduces a However, you make a really great point in asking "Why do you need user choice for this"! I guess this sort of thing has become a common, de-facto "feature" when logging in, so I've become accustomed to it. But you're absolutely right - it has definitely become less common, and begs the question of whether it should still be done at all. So it sounds to me like best practice is to not offer this functionality anymore at all. And that is the official stance from the Ory/Hydra team? Does that seem accurate? I've been looking for some clear guidance on this and can't seem to find anything definitive. OWASP doesn't seem to address this directly (as far as I can find), unfortunately. |
|
Yeah, there isn't clear guidance on this topic and most systems offer MFA these days which is a much more secure way of "staying signed in" (or not) than trusting the user to make the right choice when they click "remember me"��. I also think that most non-technical users don't actually know what this option does as they are not accustomed to the subtle differences between max-age: 0 and max-age: 1234 for chrome, safari, firefox, opera, ie, edge, ... What I've seen is that, after or during an MFA flow, the user may choose "remember this device" which basically sets a cookie after MFA. That allows users to continue to log in without having to re-enter MFA codes again and again. |
|
I would probably close this as a wontfix unless you think this is necessary in some use cases? |
|
I'm sure there's folks that would probably want this feature, but I'm convinced I don't need it. |
|
Great, thank you for the feedback. In that case, closing this! |
Almost everywhere you login these days has a "remember me" option - when it's checked, a persistent cookie is issued; when it isn't, a session cookie is issued. Is there currently a way to do this with Kratos? Or a plan to implement it? There was previously an issue (#42) about this, but it was closed be - what seems to be - removing any reference to this sort of feature.
The text was updated successfully, but these errors were encountered: