views:

23

answers:

1

For a cookie based "remember me" function on a web app the user can choose to stay logged in for X days:

What do you think is better:

a) set the expiration time of the "remember me" only at first login, so the cookie expires after X days after the first login?

or

b) re-set the expiration time each time the user logs in, so the cookie would expire X days after the last login?

What do you think would a user expect?

A: 

Good question. Best option might be to ask actual users. After all, they'll have to live with your decision :-).

But personally I'd vote for b). Normally the point of expiration is that the login will expire when you no longer use the computer and therefore no longer need the login. So it makes sense to start the expiration timer only when the user no longer actively uses the login.

sleske
Thanks, yeah b) sounds like the better option.Unfortunately I can't upvote your answer because my lack of "reputation" here ;-)
stesch
No problem. The reputation will come :-).
sleske
When you have a Remember Me function like that for a web app, it's also a good idea to have the user re-authenticate for actions you consider to have important security context. For example, changing the account's email address. This way users aren't bothered with having to re-enter their password all the time, but the negative impact of someone else using the browser with the "remembered" cookie is reduced.
Mike