@bender@twtxt.net Hmmmm Iām not sure about thisā¦ š§ Does anyone have any other opinions that know this web/session security better than me?
@prologic@twtxt.net I do NOT claim to be an expert in that realm. Iāve seen different things being implemented in the guise of āremember meā. But I reckon the most common scheme, when this checkbox is activated, is to issue a dedicated, long-lived refresh token in a login cookie. Iām sure it is known under several different names. This āremember meā login cookie is separate from the actual short-lived session cookie.
Part 2 of this answer explains it fairly well: https://stackoverflow.com/a/477578 Also, this was a nice read: https://web.archive.org/web/20180819014446/http://jaspan.com/improved_persistent_login_cookie_best_practice
It depends on your threat model, but the use of public computers in libraries, internet cafĆ©s or similar is probably the most relevant here, when arguing against activating āremember meā. These days, shared computer use is declining Iād assume. With twtxt being a niche for more computer-affine folks, Iād reckon this threat is not that high up the list. On the hand, you want to bring yarnd to the average non-nerd user, so this threat might actually rank more important.
Itās probably okay and safe enough to remove āremember meā entirely and just issue a long-lived session cookie and be done with that. Optionally, power users or the administrator could benefit from configurable cookie lifetime(s).
@lyse@lyse.isobeef.org Iāll buy that argument š
@eldersnake@we.loveprivacy.club Like a āIām on a public terminalā type thing? Which has the opposite effect? With some helpful descriptive text? š¤
@prologic@twtxt.net @eldersnake@we.loveprivacy.club Iād avoid the inverted logic. Checking a setting to disable a feature always feels wrong and confusing to me. Iād rather suggest to enable the checkbox by default. But Iām with you, an explanation what it does is definitely helpful. Maybe something along those lines: āEnabling this feature will keep you logged in, even after closing your browser. Do not activate this setting on shared devices.ā
@lyse@lyse.isobeef.org Iām so confused now š¤£
@prologic@twtxt.net How so? Which part did I manage to confuse you with?
@lyse@lyse.isobeef.org Specifically:
Iād rather suggest to enable the checkbox by default
Iām no longer sure between the discussion(s) how this should behave or look like now š¤£
@prologic@twtxt.net Visiting the login page would give you something like this:
Username: _<focused field>____
Password: ____________________
[x] Remember me (Enabling this feature will keep
you logged in, even after closing your browser.
Do not active this setting on shared devices.)
[Login]
The āremember meā checkbox could be already activated by default. This would benefit people like @bender@twtxt.net.
An alternative would be to make the session lifetime configurable in the user profile. So bender would then set this to forty-two years. :-) Definitely something for power users who know what theyāre doing. More dangerous for the average Joe, though.
@lyse@lyse.isobeef.org Ahh! I can do that, at least the first part. Thatās trivial!
Done