By making staying logged in a default on shared machines, forgetting to log out is a very serious security matter, because you probably won’t realize that it’s happening. If this option is omitted at login, then you must remember to log out. Even when you know you should, you don’t or can’t always do it. This is not a very secure default.

Currently, without any plugin, Habari logins timeout after 20 minutes of non-use. (We are considering extending that to an hour.) Also, if you log out of Habari on one machine, it logs you out of any machine that might be using your login. There are also measures in place that prevent a hacker from re-using the cookie that keeps you logged in. There is no “remember me” option at all.

We’ve been talking this week about how we can make this easier on the user who is used to working with less secure but more convenient systems. I think many developers on the project are of the opinion that “most secure by default” is the way to go. We can’t expect that every user of our software has a degree in computer security, and it’s our responsibility to make some educated decisions for our users. Only if you really understand the ramifications should you install something that makes your site less secure.

With Habari we have some interesting tricks up our sleeves that might allow the software to be more permissive without completely compromising security, but as a rule, I am pretty emphatic about removing that checkbox, but not because it should remember your login by default; rather, because it shouldn’t remember your login at all.

I feel like most people want to be remembered, except on shared computers, of course, and those people know to log out. Even my most computer illiterate of friends understand this. The only people I run in to anymore that worry about cookies are people who are living in 1997 and just don’t get it. I got some funny friends.

But all in all, at least in the various circles I run in, I feel like “remember me” is unnecessary.

But multiple users (even if it’s just a friend checking his email on your system) is a large enough group of people that it’s worth having on.

I think there’s some sort of privacy issue but i can’t come up with anything at the moment.

Also, I often choose not to use the remember me because I use have a set of passwords for each site and typing the username and password each time helps me memorize them. If I’ve only logged in once to a site, I’m pretty much screwed if I have to login a month down the road. I can guess and go through them all, but it’s frustrating to have to send password reminders all the time.