Remember Me Checkbox

    • 128 posts
    December 16, 2019 5:21 AM EST

    Hello folks,

    Since we've upgraded to 4.10.5 I have been getting complaints that the "remember me" checkbox isn't working anymore and our users have to login each time they visit the site.


    I know that enabling that feature is considered a security risk, but it's worth it to me to keep all the users from complaining to me!

     

    Any suggestions greatly appreciated!
    Nancy

    • Moderator
    • 6923 posts
    December 16, 2019 5:28 AM EST

    Yeah I delete that from my site it's so unsafe. Anyway, if you choose to use it, have them check their browser cookie settings. Good luck. 

    • 629 posts
    December 17, 2019 11:18 PM EST

    I didn't realize you could disable it.

    • Moderator
    • 6923 posts
    December 18, 2019 7:22 AM EST
    Elshara Silverheart said:

    I didn't realize you could disable it.

    I manually remove it from the code. Security experts said using those is not recommended. You can see how bad it can be with Facebook. How many friends of yours have been hacked? I've had many. I assume it's from the lazy login feature of the past. It looks like they've removed it too though.

    • 629 posts
    December 18, 2019 12:35 PM EST

    You know, encrypted login support like what Quora has via email verification coupled with security questions or better yet, verified browser sessions via cookies might make this process a lot easier and less hackable because the browser itself originating the request has to sign in to that encrypted email within a certain amount of time and password attempts from a new session to be able to verify itself properly before continuing.

    What I consider to be lazy login, is a password system itself. It's not ideal, never has been and people forget them all the time. If the password itself was something more secure, behind the scenes and on device encryption protocols, then only a traffic sniffer on the browser session itself would be able to have access to the data running through it and the server. If something like that hacked the server, it would need to verify tokens only the browser would have originating requests to data on the server, therefore no security breach could take place. Especially if to access the server, you needed its own token in that same space to be able to get anywhere, which is different than generating SSH keys.

    We can dream, though. I know I'm forgetting something crucial like the ability to have saved devices remember you only if your browser sessions on the device matched its last location verified by a local IP and network name.

    • 128 posts
    December 21, 2019 8:41 PM EST

    How do you disable/remove it from the code? If it's not working properly for us AND it is a security risk, I'd rather just remove the checkbox altogether....

    • Moderator
    • 6923 posts
    December 23, 2019 7:10 AM EST

    I don't have that info right now as it was a source edit but I'll try to look when I get time.

    • 128 posts
    December 23, 2019 11:38 AM EST

    Thank you Donna, no rush of course! I just changed the language to say "Remember Me is Disabled" for now.


    Merry Christmas if you celebrate!

    • Moderator
    • 6923 posts
    December 24, 2019 4:51 AM EST

    Merry Christmas!!

    • 128 posts
    January 1, 2020 7:48 AM EST

    Have you had a chance to see how to remove this? I currently have this and it looks kinda dumb, frown

    • Moderator
    • 6923 posts
    January 1, 2020 1:15 PM EST

    I had done it two ways, and the most current is just with CSS which does not modify source files and works on my site using default theme. This is what I have:

    #user_form_login.global_form_box #remember-wrapper { display: none; } .signup_login_popup_wrapper #buttons-wrapper #remember-wrapper { display: none; } #user_form_login #remember-wrapper { display: none; }
    • 128 posts
    January 1, 2020 3:50 PM EST

    That worked! You're a genius.

     

     

    • Moderator
    • 6923 posts
    January 2, 2020 4:53 AM EST

    LOL, Glad it worked.

    • 18 posts
    August 26, 2020 12:15 PM EDT
    Donna said:

    Yeah I delete that from my site it's so unsafe. Anyway, if you choose to use it, have them check their browser cookie settings. Good luck. 

    Hi, are you able to elaborate more on the browser cookie settings?

     

    Is it something that my website can enable for them?

     

    • 7 posts
    December 6, 2020 3:21 PM EST

    Is there a way for users to stay logged in, I'm getting complaints that they have to log in every time. 

    • Moderator
    • 6923 posts
    December 7, 2020 4:49 AM EST
    rabbithole said:
    Donna said:

    Yeah I delete that from my site it's so unsafe. Anyway, if you choose to use it, have them check their browser cookie settings. Good luck. 

    Hi, are you able to elaborate more on the browser cookie settings?

     

    Is it something that my website can enable for them?

     

    They would need to read the tutorials from various browsers as it is a user setting for security. They would need to make their security more lax. 

    • Moderator
    • 6923 posts
    December 7, 2020 4:50 AM EST
    Devin J said:

    Is there a way for users to stay logged in, I'm getting complaints that they have to log in every time. 

    As we said above, it was removed for security. If you want to have a developer add it back, it would be at your own risk and the risk of your members.