Jump to content

Stay Login - Serious Log Out Issue


Teken

Recommended Posts

Hello,

 

I saw the IFTT announcement and tried moments ago to login to the portal. Upon doing so noticed a new pop up message that indicated do you want to stay logged in.

 

I never got the chance to say yes and the portal continues to log you out over and over again.

 

 

post-1970-0-47622500-1454191586_thumb.png

Link to comment

Hello,

 

I saw the IFTT announcement and tried moments ago to login to the portal. Upon doing so noticed a new pop up message that indicated do you want to stay logged in.

 

I never got the chance to say yes and the portal continues to log you out over and over again.

 

My apologies.

 

This is fixed now.

 

Benoit.

Link to comment

Please reload the page.

 

Benoit

 

Hello Benoit,

 

Hard reloaded and cleared the web browser cache on Chrome and its fine now. Should there be a *Stay Login* message option available somewhere now?

 

I am not prompted at all and see no method to enable this feature which is most welcome!

Link to comment

Hi Teken,

 

The auto logout fires after 14 minutes of inactivity, offers a 1 minute grace period to stay logged in, and if there is no response, it logs you off.

 

It is a security measure that is not configurable.

 

Benoit.

 

Hello Benoit,

 

Understood and appreciate the insight perhaps this needs to be called out some where for users. As most people who see the pop up message would assume the message indicates stay logged in until such time as the users wishes to leave.

 

Just trying to avoid misunderstanding and support calls . . .

Edited by Teken
Link to comment

Is it possible for the portal login to save the email address? It's kind of a pain to type it in every time.

 

Hello Bob,

 

We want the portal to be as secure as possible, so that would go against the purpose.

 

However, browsers like chrome will allow to cache the user and password, and fill it for you if you wish to do so.

 

Benoit.

Link to comment

Benoit,

 

I understand (and encourage!) Security first - but there are ways of providing a 'Remember Username' check box on a logon form, then encrypting the username using a symmetric key (with timestamp and nonce) in a cookie to persist it in the browser.

 

When the cookie is received in the future, you (and nobody else) can decrypt it, obtain the timestamp to determine if it has expired (only allow the next 30 days, for instance) and use the value to pre-populate the username. There is no loss of strength as a result of this.

 

After a successful logon, you resend the username encrypted cookie with a new timestamp and nonce - providing another 30 days of remembering the username.

 

I actually suspect it would be more secure than having Chrome remember it - and its use would be optional.

 

Michael.

Link to comment

If that can't be done perhaps allowing a longer session could be done. Instead of the 1 minute extension let it reset the 14 minute login time.

 

Being prompted to extend the session by one minute isn't very useful for most people.

 

 

In the end, we will remember not the words of our enemies, but the silence of our friends.

Link to comment

Hello everyone,

 

Thanks so very much for the feedback. So, the only thing you are asking to be stored is the email address, correct? If so, should there be a timeout on the cookie?

 

With kind regards,

Michel

 

Yes, just the email. I don't see much benefit to applying a timeout, since it would be on a local machine.

Link to comment

Benoit,

 

I understand (and encourage!) Security first - but there are ways of providing a 'Remember Username' check box on a logon form, then encrypting the username using a symmetric key (with timestamp and nonce) in a cookie to persist it in the browser.

 

When the cookie is received in the future, you (and nobody else) can decrypt it, obtain the timestamp to determine if it has expired (only allow the next 30 days, for instance) and use the value to pre-populate the username. There is no loss of strength as a result of this.

 

After a successful logon, you resend the username encrypted cookie with a new timestamp and nonce - providing another 30 days of remembering the username.

 

I actually suspect it would be more secure than having Chrome remember it - and its use would be optional.

 

Michael.

 

Hi Michael,

 

After discussing it with Michel, we are adding this to the development queue.

 

Thanks for the suggestion.

 

Benoit.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...