Persistent Cookies

The “Remember Me” feature on the login to many of the web’s applications is a valuable time saving mechanism for the user, saving time on trusted computers. This feature is implemented by the use of persistent cookies. I first implemented persistent cookies, or the ‘Remember me’ function on List Central because I was sick of having to login several times a day, but I also value the improved usability it will offer to my future users!

The below diagram briefly illustrates how I implemented persistent cookies on List Central:

Persistent Cookies

My diagram is certainly cute, but it’s not terribly clear, so I’ll spell out the steps:

1. A user requests a page from List Central
2. List Central checks the users cookie jar for the List Central login cookie
   1. If found, the user is considered to be logged in
   2. If not found, List Central checks the users cookie jar for the List Central Persistent cookie
      1. If found, the system checks the, seemingly meaningless string of characters to determine if it has found a valid persistent cookie
         1. If the persistent cookie is valid, the system sets the List Central login cookie, and considers the user to be logged in
      2. If no persistent cookie was found, or it was found to be invalid, or expired, the user is not considered to be logged in, and is treated as a guest until s/he logs in via the login form
         1. On successful login, the system sets the List Central login cookies, and sets the persistent cookie only if the user checked ‘Remember me’

The “Login” cookie is set every time the user comes to the site and it is set to expire at the end of the session. The value of this cookie is a unique string that identifies the user on the site, encrypted, of course. The persistent cookie is only set when the user successfully logs in and checks ‘Remember me’. The system is able to validate the encrypted value of the persistent cookie against a corresponding value in the database to verify the identity of the user. It is set to expire after 2 weeks, which will result in the user having to login again after that time period.

It is important to note that there is a security risk involved in using persistent cookies. The user could accidently check “Remember Me” on a public computer, or someone other than the user could gain access to his or her computer. It is important to always request the user to re-enter their username and password when changing important user information, such as their email, username and password.