juanmnl
commented
3 days ago We are adding a "Stay logged in" checkbox so users can choose to have their session persisted in a common pattern, and modifying the first input label from "User" to "Username".
Problem description Currently, users must re-authenticate frequently due to the lack of a persistent session feature. This could lead to user frustration, particularly for those who use the application multiple times. Users should be able to control whether to stay signed in across sessions so they can balance convenience and security according to their needs.
Solution description Introduce a persistent session feature with an option for users to stay signed in across sessions upon signing in. This feature should allow users to stay signed in for a configurable duration, balancing convenience with security. The solution should include necessary security measures to mitigate potential risks associated with persistent sessions.
Scope of the solution
Provide a way for the users to enable this feature while signing in to the application, e.g.
Provide a prompt to users explaining the benefits and risks of staying signed in, especially on shared or public devices.
When persistent session is enabled, the session should persist for a configurable duration (e.g., 14-30 days) unless the user explicitly logs out or clear cookies.
If persistent session is not enabled, the session should follow the default timeout policy (session and idle timeout).
Require re-authentication for sensitive actions even if the user is in a persistent session.
Notify users when their session is about to expire and provide an option to extend the session without needing to re-authenticate.
Implement analytics to track the usage of the persistent feature and monitor patterns of login behavior for security analysis.