Another website question

Areeda · Sep 12, 2010

I have a "stay logged in" check box and allow cookie logins, and logging out forces you to log in again.

The question is should it invalidate any other stay logged in cookies? For example you are logged in on 2 different machines or with 2 different browsers, you log out of one should that force you to enter user/password on the others too?

I can come up with arguments for both behaviors. And a third option of course is to ask if you have more than one of these cookies. Before I state my preference, I'd like to hear about "standard practice" and or your preference.

Sorry to fill the Technical corner with programming questions.

Joe

jesse · Sep 12, 2010

It really depends on the nature of the data within the website. The more sensitive - the more you do that sort of thing.

If the data is not super sensitive I prefer not to expire the other stay-logged-in cookies if one logs out. Instead expire all of them if the user changes their password.

Areeda · Sep 13, 2010

Thanks Jesse! I agree, now to decide how sensitive the data is.

PilotPlanet · Sep 13, 2010

Agreed it depends on the sensitivity of the data, however if I really want to give some logout options I add in the ability to

__ log out, this computer only
__ log out, all computers

But that second option requires some dev in advance in how you handle sessions.

Chip-

RJM62 · Sep 14, 2010

Agreed.

Areeda · Sep 14, 2010

PilotPlanet said:
Agreed it depends on the sensitivity of the data, however if I really want to give some logout options I add in the ability to

__ log out, this computer only
__ log out, all computers

But that second option requires some dev in advance in how you handle sessions.

Chip-

I may add the option to do either. I just implemented the "stay logged in" function so I don't mind a sanity check.

The way I handle cookie log in is to create a separate login-cookie with a fairly random value. That value is kept in a separate database table along with user id. So when you hit the site if your login cookie matches one on file you get logged into a new session.

So to log out of all computers I just delete all your unexpired cookies. To log out of this session I delete just one of them.

Joe

sba55 · Sep 14, 2010

Areeda said:
I may add the option to do either. I just implemented the "stay logged in" function so I don't mind a sanity check.

The way I handle cookie log in is to create a separate login-cookie with a fairly random value. That value is kept in a separate database table along with user id. So when you hit the site if your login cookie matches one on file you get logged into a new session.

So to log out of all computers I just delete all your unexpired cookies. To log out of this session I delete just one of them.

Joe

I don't quite understand this. So are there two different cookies then? A session cookie as well as a separate "stay logged in" cookie?

What exactly do you mean by "cookie login"? HTTP is stateless, so there'll always be a session cookie unless you're doing something truly non-standard.

Areeda · Sep 14, 2010

sba55 said:
I don't quite understand this. So are there two different cookies then? A session cookie as well as a separate "stay logged in" cookie?

What exactly do you mean by "cookie login"? HTTP is stateless, so there'll always be a session cookie unless you're doing something truly non-standard.

OK I admit I made it up, but it is modeled after what I deduced from other sites.

I do want to discuss how others do it. I'm sure I'm missing something.

I have a session cookie that lives for a particular session and a second "login" cookie that lives for 90 days (right now).

When you hit the server and do not have an active session, it looks for the "login" cookie. If that cookie is valid it creates the session and marks it as a "cookie login" which requires a password login to do a privileged operation.

How do others handle the "stay logged in" checkbox? Is it SOP to change the expiration of the session cookie? I don't store much in the session so it's not a big deal to keep that stuff around, but I like knowing if you entered your password or not.

I do appreciate the discussion. It helps.

Joe

PilotPlanet · Sep 14, 2010

Hey Joe, what language are you programming this in?

Areeda · Sep 14, 2010

I've been using PHP but I'm currently on a quest for something better.

Joe

silver-eagle · Sep 15, 2010

Whatever you do, don't use comcast.net as an example. I click "stay logged in" and every time I visit (usually weekly), I have to log in again. If it wasn't for firefox keeping the userid, I'd have a hard time with it. Then there is their question, each and every time I pay my bill, asking me if I want to receive my bill electronicly. I answer no and don't ask again and the next month, it asks.
My complaints to comcast about their website is answered with the same dispatch as any question about service.

Another website question

Areeda

Pattern Altitude

jesse

Touchdown! Greaser!

Areeda

Pattern Altitude

PilotPlanet

Filing Flight Plan

RJM62

Touchdown! Greaser!

Areeda

Pattern Altitude

sba55

En-Route

Areeda

Pattern Altitude

PilotPlanet

Filing Flight Plan

Areeda

Pattern Altitude

silver-eagle

En-Route