Give a user the option to stay logged in.
John Kopanas
--
John Kopanas
jo...@kopanas.com
Blog: http://www.kopanas.com
Conference: http://www.cusec.net
Twits: http://www.twitter.com/kopanas
Frederick Cheung
On 4 Nov 2008, at 14:53, John Kopanas wrote:
> I thought this would be so straight forward but it does not seem to
> be.
>
> I want to give users the option when they login to check a checkbox
> that will leave them logged in but I can not seem to figure out how.
>
> On top of that I am trying to figure out if it matter what session
> store I am using. Right now I am using active record but I am
> looking to move over to memcache. Does it depend on session store?
It doesn't (since the whole point is that you want something that will
outlast the session). Typically one stores a cookie with some sort of
token. Restful authentication does this, you could have a look at the
code in there.
Fred
Robert Walker
> will leave them logged in but I can not seem to figure out how.
One note on this: Be aware that by doing this you are leaving your users
more exposed to click-jacking attacks. I, personally, hate when this
option is presented as an opt-out. It's fine to present the option, but
I recommend making it opt-in not opt-out. I also use an external
password manager and never use the built-in autofill features provided
by most modern browsers (I am using 1Password on my Mac for this, which
I highly recommend to any Mac users out there). I enter my 1Password
into a popup dialog, and not the actual username and password of the
actual site, protecting me from any click-jacking attacks.
John Kopanas wrote:
> I thought this would be so straight forward but it does not seem to be.
> I want to give users the option when they login to check a checkbox that
> will leave them logged in but I can not seem to figure out how.
--
Posted via http://www.ruby-forum.com/.