PDA

View Full Version : Remember Me function via javascript



Falkon303
04-24-2011, 04:15 AM
I've heard that setting cookies via javascript has it's advantages, and I am considering having a "Remember Me" function on a site I am working on. My question is, is it worth it? Nowadays remembering passwords is primarily done through the browser itself anyways. I'd loved to hear some views on this.

djr33
04-24-2011, 05:48 AM
I'm trying to understand what you're asking, but honestly I don't understand at all: I think you need to give more background information.

I don't see any "advantage" to using cookies in Javascript as opposed to any other [that is serverside] language, like PHP. In fact, as far as I know, these cookies would be shared by all of the languages, so that you could create a cookie in one and read it in another. The only advantage to Javascript would be that it can interact with cookies (and other things) in real time so you don't need to reload the page to refresh something with the cookies.

As for cookies being in general (with or without Javascript) a good idea, I'd agree, though it entirely depends on the project. Some scripts involving cookies are overkill, remembering unimportant settings on a menu for example, but other times they can be useful, as long as you remember that they're not entirely reliable so they can't be completely required, just helpful if they work. And often that's the case. Think of cookies like a bonus-- sometimes good, rarely bad, but not part of the core of something.


Please define "Remember Me function"-- that might mean remembering the state of things in Javascript (like a menu or whether or not to show a popup ad), or it could refer to how the term is used in logins. Note that Javascript has nothing to do with logins (unless it's used on top of an existing serverside system), so you can't use Javascript alone to remember a login.

"Nowadays remembering passwords is primarily done through the browser itself anyways."
What do you mean by that? A browser may or may not have an option to store passwords that automatically get filled in when visiting a certain site. But that isn't related to the webpage at all-- it's just the browser automatically typing for a user. It's also not secure and a "use at your own risk" feature. (But it's not available locally-- that information is not available except while on that computer or after the user submits a form containing a stored password.)
Javascript could be implemented to automatically store and insert passwords for logins, but I think that's a terrible idea. If a user wants this, they can use the browser and that will be more secure (not secure, but better than Javascript at least) and it's available in the main browsers if users like it. And if there's any chance that a user might not be aware that you are automatically storing their password in a cookie, that could be very bad. Best to avoid it.
On the other hand, you could remember a username without much risk, so that would be one thing to do to make it a personal experience. But I don't think it's required and you could easily do that serverside as well, with or without cookies. (Though cookies would help to link between sessions, since a database would need to use IPs or something less reliable like that.)


All logins require serverside authentication as well as some way to remember this. It's often done using session data (such as in PHP). This says nothing about remembering a user between visits and using Javascript would [potentially, to some extent] compromise the security of a system without adding much to it.


Explain a bit more and we'll try to address your specific questions/situation.

Falkon303
04-24-2011, 09:26 PM
By the "remember me" function, I am referring to the user login credentials. As for the question, I was addressing the fact that many browsers offer to auto-populate this data as well, so is the "remember me" function actually even needed?

djr33
04-25-2011, 01:38 AM
For storing passwords, I would definitely leave that to the browsers.

But there are at least 3 kinds of "remember me" functions out there:
1. Auto-fill for username and password. Just like in the browser. (Not a good idea for Javascript, in my opinion.)
2. Auto-fill for username only. Basically just a friendly personalized but still secure (generally speaking*) method. A subtype of this is where there is a "partial" login such as on Amazon.com. If I go there without being formally logged in, it still reads "Hello, Daniel." but then I actually need to log in securely in order to spend any money in the store.
3. A method of extending existing logins but not actually related to the login process itself.

(3) is the most common and the most useful. This is where the term is most often used in forums and other software like that. A "session" is a term used to describe a single "visit" to a website. Basically it lasts as long as the user is actively reloading a page on the website within a few minutes of reloading the last page. Sometimes it can be 15 minutes or other times it might be 3 hours. But what happens after a session (closing the browser window, waiting too long to refresh, etc) is that all this data is lost. A generally secure and very common method for logins is to use sessions like this. So your login only lasts as long as you continuously use the site. If you return hours later, you may not still be logged in. This is also the default value for a cookie's expiration: one browser session.
The alternative to this is often termed "remember me" and it works by storing a cookie on the user's computer that lasts longer than a session. When the user returns the cookie will identify them and make them stay logged in. This cookie does not contain a username or password. Instead it contains a session identifier that relinks the session. (Basically-- it is actually a little more complicated than that, but that's the main idea.)


I think (3) can be very useful, though it is potentially less secure-- it allows for someone else to steal (or guess?) that cookie's value and use it themselves as a shortcut into that user's account.


(*To be completely safe, the username is actually best kept secret as well. It's sorta like a password in the sense that you need to know both to gain access to an account. That's like saying the length of your "password" is not just the length of the password, but of the username and password combined. If your username is 8 characters and your password is also 8 characters, then having to guess both at the right time is much more difficult than just guessing 8 characters. But aside from making it exponentially easier to hack an account using brute force to guess the password, revealing the username doesn't directly compromise security.)

Falkon303
04-25-2011, 03:08 PM
Thanks for these responses. I very seldom find myself freaking out if I close a window and have to return to the forum location. For example just now when I went to reply, all I had to do was click "login", because Firefox had auto-populated my information. Those are very interesting perspectives on the usefulness/security issues. Thank you.

I think I won't include any of the functions unless I receive an email about it. Maybe people who don't know what it does will think I am neglecting them somehow! -lol-

djr33
04-25-2011, 05:05 PM
I think that should be fine. Unless you have a very good reason, (1) and (2) above should not be required. (3) can be helpful and save users time if they want to always stay logged in rather than having to log in each time they revisit the site. But it won't hurt much to not have that, at least for a while.

Falkon303
04-28-2011, 11:21 PM
Thank you for the insight on this. I'll probably just leave it out until I get a request.