ClassicPress PetitionsClassicPress Petitions
This is a read-only archive. Post or comment on the live version of this page on our forums.

Login: Remember me

February 9, 2019 · 13:16 · John
Description

Below the login credentials there is this cryptic "remember me" that doesn't mean anything at all.

  • Remember me for what, for how long and what for?

The correct syntax for such checkboxes is:

  • Remember me for XX days on this computer
Voters
+15 more
Discussion
Code Potent

I agree it isn't incredibly self-explanatory, although, in well over a decade, I've never once been asked by anyone what it means. I think it's pretty universal by now, but that's just a guess. At any rate, this text can be easily changed on a case-by-case basis with the following code-snip, so it seems a bit much to add it to core.

add_filter('gettext', 'copo_remember_me_text', 10, 3);
function copo_remember_me_text($translated_text, $original_text, $domain) {
if ($translated_text == 'Remember Me') {
return 'Whatever text you want.';
}
return $translated_text;
}

John

I'm not sure about your statement that it is self explanatory. What would be? That your login is remembered? Then why I'm I logged out after some time?

Many clients of mine are asking about that, others of course don't really care as the login once in a while only and when they come back they are always logged out anyhow.

This setting should be detailed for visitors + configurable by admins.

mark kaplun

The setting just should not exists. Either it is not secure to have long cookies in which case why to suggest it, or if there is no security problem with that you can use a longer time by default and/or automatically change the cookie duration after X admin page views or some smarter algorithm.

James Nylen

This is one of those things where I still find myself wondering "huh, I wonder how that works exactly" and then ultimately ignoring it. It could definitely be improved, but I don't think it's a high priority that causes lots of difficulty with the platform either.

If this is going to continue to exist then I would support changing it to "Remember me for XX days on this computer".

@mark kaplun: when such a UI is done thoroughly it usually asks you whether you're using the site on a trusted/permanent device.

Though maybe even those prompts shouldn't exist. What an untrusted device chooses to do with your cookies is the least of your concerns if you're typing passwords in there.

mark kaplun

@James, agree to both your comments. This obviously needs some more thinking, but if you login from an untrusted device and this could mean just internet kiosk which do not properly clean all browser history when restarting for new user, then the cookies should be set to session only, not even the default two days.

Maybe the right thing is to use session cookies by default and let the user set something like device trust level from the admin.

Using session as default might also be a good way to fight CSRF

Jesse

At first glance it sounds like a minor issue, but it actually could be a significant change (improvement) from WordPress Core if done well.

We have many managed hosting clients that install third party plugins in order to save their customers' login sessions longer, esp. for WooCommerce.

> If this is going to continue to exist then I would support changing it to "Remember me for XX days on this computer".

This sounds about perfect. Maybe 30 days is a good default?

> This obviously needs some more thinking, but if you login from an untrusted device and this could mean just internet kiosk which do not properly clean all browser history when restarting for new user, then the cookies should be set to session only, not even the default two days.

These are very interesting ideas, however might be getting too complex for basic Core features I think. However, by keeping in mind potential customization it might provide for easier session tweaking when using third party plugins.