I'm wondering why do we need to ask user to make a decision, for how long he want to be authenticated? This is done by having "keep me signed in" option login page:
Why can't we simply "predict" how long user wants to be authenticated. For example, 1. User Logged in for first time - 20 min session timeout 2. User's session was expired after 20 min, so he logged in for second time (during next hour after expiration). This means user work with website frequently, so we can extend his next session to 40 min 3. Another use case. We know that user works with our app at least 3 hours a day, so his session expiration time is 3 hours. But now he logging in from unknown/new computer. Let's consider it as a public computer and set session time 20 min (instead of 3 hours).
So, what I'm trying to say is that label "keep me logged in" doesn't describe for how long will user be kept logged in. Also it doesn't describe whether session will be ended when user close the browser window or not.
In addition, website could learn user's habits and learn that some users use web site during their work day from 8am to 5pm. So it may keep them signed in during this timeframe. If user will try to come at 6pm - ask him credentials, but if he comes next day at 8am - don't ask him login/password.
Does it make sense?
Answer
The main reason for that, IMO, is if the user is logging in from a location that is not necessarily their home or normal one - public computer, friends house, etc.
By not "remembering me" I signify that I don't want the site to remember my username making it easier for someone to guess my user ID and pass.
Yes, I should log out, but what if I forget? Closing the browser should enable me to get logged out.
No comments:
Post a Comment