Implement a “remember me” checkbox?

[Zegnat]

I was just thinking about this re: UX. I use a password manager so my login is always only one keyboard shortcut away, but for many people switching to selfauth means they have to keep entering their password again and again.

This is also not something they would need to do with RelMeAuth, as they are likely already logged in to the silos they use.

Should we consider a “remember password” checkbox and then create a session to keep the user “logged in”? This would simply remove the password box and after form submit check the session instead of a sent password.

[sebsel]

I have this on my own site now too. It shows a button instead of the password field if I'm already logged in (taken the idea from Aaron).

Also to think about: remember an app.
If it's only authentication (no scopes), and if I have accepted the app already, and if I'm already logged in, why not sign and redirect right away, instead of showing an extra button to click?

[Zegnat]

The problem with adding a session is already that we lose statelessness (which we have right now, even for the CSRF).

Remembering an app – if you want to remember it over several sessions – requires not only introducing a session but also some server-side data storage.

[aaronpk]

You can always store things in the network. You can implement sessions without any server-side storage by using an encrypted cookie to store things. You could even remember an app by storing that state in a cookie.

[Zegnat]

You can implement sessions without any server-side storage by using an encrypted cookie to store things.

For some reason I always forget about cookies. Yes, that would definitely work. Though I’m unsure about the max size of a cookie these days… important if you want to store remembered apps. (Although with the handful of apps available today that shouldn’t be a problem.)

[aaronpk]

Yeah max cookie length is a consideration but there's ways around that too. Use a cookie name that includes the key of what you're storing so you'd end up with a bunch of cookies. (E.g. remember-client-indieweb.org) Or if you don't mind slightly limiting where the feature works you could use LocalStorage