Stay logged in

[EPV]

I've been thinking about the possibilities of letting a user "stay logged in" in a webbapp.

What do you think is the best practise?

Backend=PHP

Thanks / E

[mitchellsimoens]

Setting up a session on the backend and on the frontend have a check to see if the user is already logged in.

[EPV]

Thanks,

I'd did a deep dive myself and came up with this:

- Store user and password in localstorage is probably bad though it's readable. ANtother problem is that Apple has moved it to the cache folder.

- Setting a sessioncookie in the backend will do as long as you don't close the browser.

- Using a cookie with a authentication ID (some hashed value based on some user info and a salt) that's stored in the local machine and in the user table is probably the best idea.

To consider:
- Beware of XSS
- Let the cookie expire

More ideas?

[mitchellsimoens]

iOS 5 also sets the cookie acceptance setting to disable cookies. I had to resort to sending a session ID to and from my apps to get around this.

[EPV]

OK, but the cookie acceptance is user defined isn't it?

Regarding the your session solution. Doesn't the session stop when you shut down the browser?

[mitchellsimoens]

I didn't feel it a good experience to ask my user to change the cookie setting. If I were to be asked that I wouldn't use the app.

I save the session id in localstorage and store the session in a database on the backend. If the session id doesn't exist in the database then I return a new one and handle that on the front end.

[EPV]

Sounds like the best solution, thanks!