How does the "Remember my password" checkbox work?
Solution 1
The "save password" part comes from the browser's password manager whenever it sees an <input type="password"> that looks like it really is asking for a password. You can use the autocomplete attribute to suppress this in most browsers:
<input type="password" name="password" autocomplete="off">
This won't validate but that usually doesn't matter.
The "remember me" part is completely separate from the browser's password manager. The "remember me" flag is the server's business and all it does is fiddle with the expiry date on the cookie that it sends back. The server will always send a cookie back (unless they're not using cookies for tracking sessions but that's rare and wouldn't need a "remember me" anyway) with something inside it to identify the client user.
If you check "remember me" then you're telling the server that you want a persistent session. To achieve this, the server will include an expiry date with the cookie and that expiry date will be some time in the future. When the date arrives, the browser will expire and delete the cookie; without the cookie, the server won't know who you are anymore and you'll have to login again.
If you don't check "remember me" then you'll get a session cookie. Session cookies don't have expiry dates on them so automatically expire when the browser exits. Session cookies are useful for shared machines.
Executive summary:
- "Save password" is from the browser's password manager.
- "Remember me" is about the login cookie's expiry time.
Sorry to be so long winded but there seems to be some confusion and a lack of clarity in the other answers.
Solution 2
Question 1:
The session id is stored in the cookie. AFAIK, the password, or the hash of it is not stored. A session is created on the server side whenever you log in. If you logged in with "Remember Me" checked, the server passes a cookie with the session id (or encrypted session id, or something that uniquely identifies the user session) and this cookie is saved on the client side.
When you login for the next time, the server checks whether there is a cookie with the session, if it is there (and the session has not been killed/expired - see point 2 below) then the server identifies you as "Veera" and lets you in the site.Many websites offer an option of "Logout all sessions" (like Gmail: see the bottom of the window). This would invalidate all sessions associated with the user.
Question 2:
The remember password is a feature offered by the browser. The browser sees whether there is a <input type=password> on the page and prompts to save this password for you. Any <input type=password> would trigger this.
The difference between the server remembering you and the browser remembering your password is whether your password is saved or not. And combined with the option of "Logging out all sessions" this is a lot better than letting the browser save your password.
Related videos on Youtube
04 : 52
05 : 56
02 : 27
09 : 07
03 : 44
05 : 48
03 : 13
02 : 56
09 : 40
01 : 40
10 : 32
16 : 00
04 : 43
06 : 36
03 : 45
![WPF Contact Book Part 8.1 - [Checkbox Style & Bug Fixes]](https://i.ytimg.com/vi/1sXUNJoZJTA/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLA48F5T_3ixTvCm-VIfgk6U9CSuww)
10 : 07
Comments
-
Veera over 4 years
There are numerous login forms with the little check box "Remember my password" so that the next time you visit the website, the browser automatically fills up the password field for you.
But I have noticed a behavior in modern browsers, such as Chrome/Firefox, which shows up a notification bar to save the user name/passoword even though that particular web page does not have any "remember password" check box.
so my questions are:
- If I have to put the "remember password" check box in a login form, what do I have to do when the user checks it? I mean, do I have to store the password in browser cookies (or Local Storage)? If so, should the password be encrypted or plain text?
- The "Save password" notification bar is a browser's functionality or is there any way to invoke it from the web page?
-
Dane Macaulay about 8 yearsseems unwise to store credentials in any format on the client
-
basickarl almost 8 years@DaneMacaulay Think he is referring to a session id of somesort. Saving the actual credentials is suicide.
-
Ricardo Magalhães Cruz almost 8 yearsDo not store passwords on the client. Whether encrypted or not, someone can just copy them. Store only tokens which can easily be nullified or expired.
-
hwjp over 6 yearsyes! 10 years of being a web developer and this happened to bug me just now, and til about session cookies vs cookies with explicit expiry. developer.mozilla.org/en-US/docs/Web/HTTP/… thanks!
-
ToolmakerSteve about 5 yearsTo add to @RicardoCruz's comment: Always assume a cookie may be stolen. If possession of the cookie is sufficient to login, then there must be a way to expire/invalidate that cookie. By definition, an "encrypted password" cannot be expired/invalidated, except by requiring the user to change their password. Instead, as Ricardo says, store a token that was generated at user's last successful login from this device, and remembered on server and in cookie. Limit that token to the user, the device and browser and IP, and a time range. This limits the risk.
