Menu
Looking at Gmail's cookies it's easy to see what's stored in the "remember me" cookie. The username/one-time-access-token. It could be implemented differently in cases where the username is secret, as well. But whatever... the thing is not very high security: you steal the cookie and you're ready to go.
My question is on the functional side, however: when do you wipe their access tokens? If a user logs in without clicking "remember me" on another machine, should it invalidate their access tokens on all machines? I'm asking about how this is traditionally implemented, and also how it should be implemented.
206
Information. Clicking the “Remember Me” box tells the browser to save a cookie so that if you close out the window for the site without signing out, the next time you go back, you will be signed back in automatically. Make sure that you have your browser set to remember cookies, or this function will not work.
If you have set Duo to send you a push notification automatically, the "Remember me for 30 days" checkbox may be grayed out. If you want to reactivate this feature: Cancel the push by clicking the blue Cancel button in the lower right corner of the window.
Looking at Gmail's cookies it's easy to see what's stored in the "remember me" cookie. The username/one-time-access-token. It could be implemented differently in cases where the username is secret, as well. But whatever... the thing is not very high security: you steal the cookie and you're ready to go.
I regularly use 2 or 3 machines simultaneously, and have "remember me" on all of them. If one of them disconnected the others that would be very annoying, so I wouldn't recommend it.
Traditionally it would use a time-out, the cookie expires after a certain length of time (or when the user signs out).
It all depends on your security model. If you are writing an internal company application where you only ever expect one user to be on one computer then you might want to have tighter restrictions than gmail.
Also, bear in mind the possibility of Denial of Service - if an action on one machine can force another machine to be unusable this could be use to prevent a legitimate user from taking control back in certain scenarios.
113
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
