mihomes - 10:41 am on Sep 6, 2013 (gmt 0) [edited by: jatar_k at 3:49 pm (utc) on Sep 11, 2013]
Is this really the best practice for this autologin ability?
In theory it is not that bad, but still allows someone to steal/use the cookie if they have access to it. You would then need to wait for the actual owner to login to know a theft/use of the cookie happened. You then just invalidate the cookie if that happens and reset it. Well, that doesn't flow to well with me as the possibility is still there and who knows when the actual user would login after it has been stolen.
On top of that... for the application I am using there may be multiple people using the same login as well as different computers, ips, etc. So this warning/reset system from above would be triggered all the time.
Unless any of you know a different method I may just stick to NO autologon and if the user closes the browser then they will just have to login again.
[edited by: jatar_k at 3:49 pm (utc) on Sep 11, 2013]