“Remember Me On This Computer” - How Should It Work?

Question

Looking at Gmail\'s cookies it\'s easy to see what\'s stored in the \"remember me\" cookie. The username/one-time-access-token. It could be implemented differently in cases wher

Answer 1

Access tokens should be IP specific so that they can not easily be transferred across machines.

They should also be implemented in a way that allows users to see what machines they have active tokens on.

Sites that choose to kill off a token once a new one is created on another computer - make the choice that their users will not access their service on multiple computers - or if they do - that their usage justifies making them login again.

The policy you employ really depends on the data you are holding and the needs of the user.