“Remember Me On This Computer” - How Should It Work?

Question

Looking at Gmail\'s cookies it\'s easy to see what\'s stored in the \"remember me\" cookie. The username/one-time-access-token. It could be implemented differently in cases wher

Answer 1

I regularly use 2 or 3 machines simultaneously, and have "remember me" on all of them. If one of them disconnected the others that would be very annoying, so I wouldn't recommend it.

Traditionally it would use a time-out, the cookie expires after a certain length of time (or when the user signs out).

It all depends on your security model. If you are writing an internal company application where you only ever expect one user to be on one computer then you might want to have tighter restrictions than gmail.

Also, bear in mind the possibility of Denial of Service - if an action on one machine can force another machine to be unusable this could be use to prevent a legitimate user from taking control back in certain scenarios.