Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What's your "remember me" cookie's lifetime?

My spec says 30 days. I am about to argue for quite a longer TTL, something like 90 - 120 days. What do you think?

This is for a standard website, not an intranet app.

like image 969
yannis Avatar asked Jul 17 '10 04:07

yannis


People also ask

How long should remember me cookie last?

The default the cookie is kept without remembering is two days. When $remember is set, the cookies will be kept for 14 days or two weeks. This reply was modified 2 years, 5 months ago by George Appiah.

What is a Remember me cookie?

Clicking the “Remember Me” box tells the browser to save a cookie so that if you close out the window for the site without signing out, the next time you go back, you will be signed back in automatically. Make sure that you have your browser set to remember cookies, or this function will not work.


2 Answers

My personal advice would be to do it as a combination of relatively-short expiration cookie with sliding expiration and a long expiration identity cookie.

The first part is your standard week/month-long expiration authentication ticket cookie, which you renew on each request or at certain time interval, or whatever other sliding expiration scheme you want to employ.

The second part is you remember the identity of the user in a half year/year-expiration cookie. This is not an authentication ticket, just an identity reminder, so that if the user returns after their session has expired, they get greeted and you might choose to show some non-sensitive personal information, like number of emails in inbox or anything like that, but to actually access any sensitive information, they need to authenticate themselves.

This will give your regular users (visiting every day or week) continuous never-expiring session, while still keeping the authentication tickets with relatively short time frame. At the same time, for people that return after more than a month, you can still give them a personalized experience, yet their account is secure. I don't think anyone would actually have a problem, if you ask them to authenticate to access certain parts of their account after a month of absence, even if they'd checked the remember me/remember my password checkboxes.

like image 190
Franci Penov Avatar answered Nov 30 '22 16:11

Franci Penov


It Depends is the most natural answer. Additionally, we should also ask the user if it's a personal laptop or shared workstation or a public machine.

If Is it a social network or a mail portal or something similar than 2 weeks. in case of personal workstation >4 weeks. If it's a banking system then there's nothing like Remember Me and persistent auth. In fact session should be terminated for no activity in last 15 minutes.

So It depends.

like image 36
this. __curious_geek Avatar answered Nov 30 '22 18:11

this. __curious_geek