Twisted "Remember me" sign in logic

[Stenis]

On the sign in page the check box "remember me" is checked by default. Wouldn't it be better to have it the other way around, making it easier for people that do not want to be remebered to not having to uncheck it every time they login, while the ones that want to be remembered check it once and then never again?

[Charles]

You can just go in the skin and remove the "checked" setting on that field if you don't want it checked by default.

[Wolfie]

I think his concern is that people in public places might sign in and not remember to sign out or to not uncheck the option. From a security stand point, it would be better to have it unchecked by default, with the admin having to skin it to be on if that's how they want it.

[AL3000]

This is a catch-22. For years, I have been witness to exactly the opposite argument from vB users, where the option is unchecked by default.

[Charles]

It's a tiny change to choose whatever you, as the admin, want it to be by default. We have to pick one so we picked checked but you can easily change that.

[bfarber]

I think the vast majority of users (and site owners) expect to be remembered when they login, unless they choose otherwise. I know on most sites I visit (that are standalone), "remember me" is checked by default. I personally wouldn't want to change this without some compelling arguments.

[Wolfie]

I think the vast majority of users (and site owners) expect to be remembered when they login, unless they choose otherwise. I know on most sites I visit (that are standalone), "remember me" is checked by default. I personally wouldn't want to change this without some compelling arguments.

While I'm in favor of this change, I'm not suited up for battle to get it done. However, I think that the issue of security should be considered a very strong argument on the issue. If someone signs in at a public computer (such as in a library) and that person forgets to log out and had also forgotten to uncheck the box while signing in, then that's a potential security breach. Considering the IPS serves to big companies as well, I would think that this would be an issue to take into consideration. Far better to require the person to check the box than to require them to uncheck it. Saying that a majority of users and site owners expected to be remembered by default is an argument supporting lazy behavior, which has proven time and again to cause security breaches.

[Guest]

While I'm in favor of this change, I'm not suited up for battle to get it done. However, I think that the issue of security should be considered a very strong argument on the issue. If someone signs in at a public computer (such as in a library) and that person forgets to log out and had also forgotten to uncheck the box while signing in, then that's a potential security breach. Considering the IPS serves to big companies as well, I would think that this would be an issue to take into consideration. Far better to require the person to check the box than to require them to uncheck it. Saying that a majority of users and site owners expected to be remembered by default is an argument supporting lazy behavior, which has proven time and again to cause security breaches.

To be frank, if someone signs in from a public computer leaving "remember me" checked *and* fails to log out afterwards, then that's their problem, in my opinion. Personal security is the responsibility of the user, and if they don't care enough to be vigilant, then they're going to have problems no matter what the software does for them.

With that being said, both Twitter and Facebook do appear to have the option off by default.

[Wolfie]

To be frank, if someone signs in from a public computer leaving "remember me" checked *and* fails to log out afterwards, then that's their problem, in my opinion. Personal security is the responsibility of the user, and if they don't care enough to be vigilant, then they're going to have problems no matter what the software does for them.

With that being said, both Twitter and Facebook do appear to have the option off by default.

It's far better to make the put forth effort to be lazy, than to do the work for them. Many security breaches are the result of laziness, either in implementing some form of security or in following the protocols properly.

I worked at a complex where security badges are used for going through doors and there were also ID cards that were used for gaining access to the computers. One day a memo went out to EVERYONE, where it was mentioned that people were abusing the system of getting replacement ID's, as they would use one to show who they were while leaving the other at their computer, thus giving anyone access to that computer. In short, a MAJOR security breach, out of laziness. But, in that instance, the laziness required people to put forth some effort. If each employee had been provided with two cards up front, then that would have been doing the work for them.

In essence, by having the box checked by default, it's doing the work for the visitor, instead of them doing the effort. The member wants to stay signed in, I have no problem with that. They should be required to work for their laziness though, instead of making them have to remember to uncheck a box to be more security conscious. Security by default, with the option to override, instead of vulnerable by default.

[Carl M]

Wolfie,

Just make the change in the skin if it erks you so much - users are warned not to to check the box on a shared computer ;)

:)

There are also the following options in the ACP that you can configure too

Member's log in key: Expiration
It is advised that a member's log in key (used in cookies for persistent log in) expires weekly if not used. This increases the security of your board by exposing log in data for a week limiting the time frame a hacker would have to use the key if stolen.

Reset member's log in key upon each log in?
If 'yes', each successful log in process will reset the member's auth key which is used in cookies as a password. This will make it impossible to remain logged into more than one computer.

[bfarber]

We have to tailor the software to what the majority want. I'm of the opinion, until someone convinces me otherwise, that MOST users want to be remembered when they login. You already have the option to not be remembered, as well as the option to log out, so if you fail to use either of those, I'm not sure what else IPB can really do in that instance.

[Wolfie]

Wolfie,

Just make the change in the skin if it erks you so much - users are warned not to to check the box on a shared computer ;)

I'm not the one who made the original request. I was simply pointing out that it is smarter and, security wise, recommended to have the option off by default. My site isn't part of some top secret or data sensitive organization or anything, so it's doubtful that anyone would want to really gain access by hacking into someone elses account. I was just speaking from the point of view that there are bound to be customers that would appreciate the extra step in security.

Anyone who has taken a course in computer related security can tell you that one of the biggest problems with enforcing it is that people will often try to find shortcuts around it just to make it easier on them, which in turn defeats the security put into place. So yeah, people like the lazy way, but it's not necessarily the better way.

[Carl M]

I'm not the one who made the original request. I was simply pointing out that it is smarter and, security wise, recommended to have the option off by default. My site isn't part of some top secret or data sensitive organization or anything, so it's doubtful that anyone would want to really gain access by hacking into someone elses account. I was just speaking from the point of view that there are bound to be customers that would appreciate the extra step in security.

Anyone who has taken a course in computer related security can tell you that one of the biggest problems with enforcing it is that people will often try to find shortcuts around it just to make it easier on them, which in turn defeats the security put into place. So yeah, people like the lazy way, but it's not necessarily the better way.

Its not a topic on which i have seen a mountain of people knocking down the doors demanding IPS to change it.

The option to do it is there - the user is warned prior to signing in :)

[Commander Galaxy]

I've used vB, and I like it checked. :rolleyes:

[Wolfsburg]

How or where do you go to uncheck the remember me?

[Aiwa]

You can just go in the skin and remove the "checked" setting on that field if you don't want it checked by default.

[Adriano Faria]

I have a hook that unchecks it. It's posted in another topic: http://community.invisionpower.com/topic/399712-remember-me-change-from-default/

[Wolfsburg]

Can you show me the step by step where to go?

[Mark H]

Can you show me the step by step where to go?

You'd need to ask that question in the Skinning & Design section for specifics, as this is the "Suggestions and Ideas" section.

[Adriano Faria]

Can you show me the step by step where to go?

Why don't you use the hook I linked you to? You only need to intall it and doesn't require a template edit.

[Wolfsburg]

Why don't you use the hook I linked you to? You only need to intall it and doesn't require a template edit.

thank you!

[TDBF]

On 29/04/2010, bfarber said:

We have to tailor the software to what the majority want. I'm of the opinion, until someone convinces me otherwise, that MOST users want to be remembered when they login. You already have the option to not be remembered, as well as the option to log out, so if you fail to use either of those, I'm not sure what else IPB can really do in that instance.

As a web developer for over 15 years on many large scale open source projects, this I find short sighted and unhelpful.

The problem is, you might as well have taken away the options and hard coded them into the code. The code is broken as far as I am concerned, it is incomplete. You present the end user with a choice of do I wish to be remembered or not, and take that away from them by hardcoding the option into the code. In fact you have done it twice, 'Remember Me' and  'Log me in as anonymous'.

To add real functionality to this code, these setting should have been stored in the members database and been given a remembered state overall.

This code within the login form here:

 

					<li class='ipsField ipsField_checkbox'>
						<input type='checkbox' id='inline_remember' checked='checked' name='rememberMe' value='1' class='input_check' />
						<div class='ipsField_content'>
							<label for='inline_remember'>
								<strong>{$this->lang->words['rememberme']}</strong><br />
								<span class='desc lighter'>{$this->lang->words['notrecommended']}</span>
							</label>
						</div>
					</li>
					<if test="anonymous:|:!$this->settings['disable_anonymous']">
						<li class='ipsField ipsField_checkbox'>
							<input type='checkbox' id='inline_invisible' name='anonymous' value='1' class='input_check' />
							<div class='ipsField_content'>
								<label for='inline_invisible'>
									<strong>{$this->lang->words['form_invisible']}</strong><br />
									<span class='desc lighter'>{$this->lang->words['anon_name']}</span>
								</label>
							</div>
						</li>
					</if>

Could easily be changed to this (add real functionality)

					<li class='ipsField ipsField_checkbox'>
						<input type='checkbox' id='inline_remember' <if test="member_rememberme:|:$this->member->rememberme">checked='checked'</if> name='rememberMe' value='1' class='input_check' />
						<div class='ipsField_content'>
							<label for='inline_remember'>
								<strong>{$this->lang->words['rememberme']}</strong><br />
								<span class='desc lighter'>{$this->lang->words['notrecommended']}</span>
							</label>
						</div>
					</li>
					<if test="anonymous:|:!$this->settings['disable_anonymous']">
						<li class='ipsField ipsField_checkbox'>
							<input type='checkbox' id='inline_invisible' name='anonymous' value='1' <if test="member_anonymous:|:$this->member->anonymous">checked='checked'</if> class='input_check' />
							<div class='ipsField_content'>
								<label for='inline_invisible'>
									<strong>{$this->lang->words['form_invisible']}</strong><br />
									<span class='desc lighter'>{$this->lang->words['anon_name']}</span>
								</label>
							</div>
						</li>
					</if>

Today, I had a member asking us why they couldn't change the setting for 'Remember me' and why we all made him sign in automatically all the time I told him to un-check the remember me check box and that should fix his issue. I was really surprised that the option was hard coded and a choice was taken away from the member, all because of short-sighted coding.

This gentleman is 78 and he states himself that he find computers hard enough, we as developers shouldn't be making it harder on the end user or more confusing when something as simple as checking or unchecking a box is concerned. If I, as the end user do not wish to be remembered, then you are forcing me into perform another action (Ie move a mouse and click it) and this can cause different issues, frustration and (possibly) over a longer period of time 'Repetitive Strain Injury'. It is a QOL issue, sort it.

 

[bfarber]

Just so it's known, you are quoting a post of mine from five and a half years ago.

[TDBF]

Sorry, but the issue is still there after 5 years

And I apologise, I meant to say a cookie and not the database.