Seems to be an interesting topic, but are kind of lost between all ideas here. Let me summarize:
1. Create user token system, that would allow to generate infinite number of tokens per each user, that can be used to securely identify that user later on. This can be widely used when creating a links to protected pages (e.g. my account pages), where user must confirm his identity before being able to view that page.
This token system would replace all token-alike code, that we have right now:
- password change link in forgot password e-mail
- verify e-mail link in user registration (active) notification e-mail
- verify e-mail link in user e-mail change notification e-mail
- user registration approval link in user registration (pending) notification e-mail
- old e-mail restore link in e-mail change notification e-mail
Additionally it would allow us to create a login-token, that would instantly login user to website (no need to type password or perform a redirect to login page) when included in that page link.
Initial version of this functionality was already implemented in "#35976 - User Auto-Login on Front-end" task (In-Business) and needs to be ported to upcoming feature release.
2. When user isn't logged-in OR doesn't have a permission to do something redirect to united "no permission/login" page, where:
This way if user doesn't have permission for an operation, then he can transparently re-login using different credentials.
3. "Remember username" functionality improvements.
We have 2 ways of remembering last user information on website (via cookies):
- "keep me logged-in" - will re-create user session on next visit (in case if it already expires), so user would think he is infinitely logged-in
- "remember username" - would remember last used username in cookie, but won't re-create expired user session.
Currently we use "keep me logged-in" on Front-End (called "Remember me" there) and "remember username" in Admin Console.
Maybe, as Dmitry advised, we should have a setting, that would:
- allow setting what type of remembering should be used on Front-End and in Admin Console separately
- have ability to set exact duration (instead of "1 month" hardcoded) for which "keep me logged-in" functionality would remember user presence on website