I've just finished a well-thought login validation mechanism and have asked myself the following question several times:
What does the user expect when he checks the Remember me checkbox in an enterprise application?
So, should I store only the username or the password alongside it, so the user gets logged-in right away when he starts up the application? Or should I simply save the username and have the user re-enter the password all the time?
I'm not asking whether or how to save the remembered password, that'd be a question for security.stackexchange.com and not ux.
This application (not necessarily mine) is used daily in a high frequency, so also remembering the password would be a good idea. But would it? Or wouldn't it? What does the user expect?
I've also considered implementing some kind of expiring-algorithm, but I do not fancy that so I'm now asking the experts: You!
Answer
This is mostly a security question, however, traditionally the "Remember Me" checkbox places a session cookie in the user's browser so as to "automatically" log the user in. Making the checkbox "remember" the user's username/password is a feature best left to the browser and could be unintuitive for users accustomed to the normal behavior.
I would go with the normal route of creating a session cookie - like you said, you can have this cookie expire to increase the security of the method. There is likely a very standard way of doing this depending on the technologies you are using to host/run your website.
Edit: Sullivan also has the good suggestion of naming this feature more properly (i.e., "Stay signed in").
No comments:
Post a Comment