"Auto logout" vs "Remember me"
14 views
Skip to first unread message
Ronny Hanssen
Oct 14, 2011, 3:57:53 AM10/14/11
to hob...@googlegroups.com
Hi,
Today the hobo applications' login automatically shows the "remember me" option. Which means that revisits to the site within the expiration time of the authorisation-cookie will lead to the user automatically being granted access.
However, for more security aware sites there's another alternative. These sites usually expire the authorization within 15-30 minutes of activity, but they update the session every time the user loads a page in order to initiate a new timeout. The auto logout system is often used by internet banking sites for instance.
I believe that Hobo checks if there is a live session for the user for authorization. If there isn't a matching session then the authorization cookie will be used to see if the user is to be authorized.
An auto-logout extension does not seem to be something that can just be added to this existing system. The auto-logout means that the authorization-cookie needs to be removed, the session cookie needs to have an expiration and code for restarting the session timeout on every activity on the webserver needs to be added.
And - finally, I think this should be added to the hobo new wizard, asking whether the site security should use "remember me" or "auto-logout".
Does anyone have any comments on my thoughts on this? Have I misunderstood something? Have anyone already done something similar?
Regards,
Ronny
Today the hobo applications' login automatically shows the "remember me" option. Which means that revisits to the site within the expiration time of the authorisation-cookie will lead to the user automatically being granted access.
However, for more security aware sites there's another alternative. These sites usually expire the authorization within 15-30 minutes of activity, but they update the session every time the user loads a page in order to initiate a new timeout. The auto logout system is often used by internet banking sites for instance.
I believe that Hobo checks if there is a live session for the user for authorization. If there isn't a matching session then the authorization cookie will be used to see if the user is to be authorized.
An auto-logout extension does not seem to be something that can just be added to this existing system. The auto-logout means that the authorization-cookie needs to be removed, the session cookie needs to have an expiration and code for restarting the session timeout on every activity on the webserver needs to be added.
And - finally, I think this should be added to the hobo new wizard, asking whether the site security should use "remember me" or "auto-logout".
Does anyone have any comments on my thoughts on this? Have I misunderstood something? Have anyone already done something similar?
Regards,
Ronny
Reply all
Reply to author
Forward
0 new messages