Remember Me Cookie Duration

I have successfully set up the remember me functionality. Unfortunately it has too good of memory. In my settings I have the cookie to expire after 1 day, correct?


So this means that after not visiting the site for a full weekend the cookie should have expired an login would be then required. Or am I understanding this wrong?

I was still logged in this morning after being away from the site for longer than two days.

Remember Me is past tense; it is outdated since all modern browsers now have a remember password feature.

Ben, “remember me” has nothing to do with remember the user and password info in the login form. This option creates a cookie which keeps you logged in, until the cookie expires.


I know that SSL will alleviate this, but be aware that there are other techniques, such as cross-site scripting (XSS) that could steal or compromise a remembered user session.

It is much safer to use the browser remember password feature.

Just my two-bobs worth (Aussie slang for ‘my thoughts’).

Ben, i am not really sure what exactly are you trying to explain but i have the feeling you don’t get what the “Remember me” option in security provider does and how it is different than the “remebeber credentials” option of the web browsers.

The “Remember me” option in security provider sets a cookie when you log in. This cookie keeps you logged in, until you log out or the cookie (you manually set the cookie expiration date!) expires.
So with the “Remember me” option in security provider set and its expiration date set to 30 days, even if you close your browser and come back in 10 days, you will still be logged in and you won’t be redirected to the log in page!
If the “Remember me” option in security provider is not used, or not set - no cookie will be created and you will be logged out as soon as your browser session ends. Then you have to log in again every time you visit the site…

The “Remember login details/Remember credentials” options in the web browser just store the login details and the browser auto fills them in the login inputs, when you are on the log in page.
This option does not affect your logged status on the website. It does not control the login duration, the log in status and does not keep you logged in. It just stores the credentials so you can auto fill them when on the log in page.

Probably what confuses you and some other users is the name of the “Remember me” option in security provider. You should look at it as if it was saying “Keep me logged in until i log out”.

With a sniffer you could indeed steal the cookie, but only if the website doesn’t use ssl. But in that case you could also read the username/password send to the server from the login form. The security provider uses Http-only cookies, they can not be read with JavaScript, that should protect for XSS attacks.

When you don’t have a session/cookie then the user needs to login on each request and send the password to the server, that would be less secure. The remember password from the browser is only handy that it fills out the form for you and you don’t have to remember the password yourself.

Thanks, that is great, I didn’t know. This will certainly give the protection against XSS attacks.

But what is stored in the cookie, is it the username and password unhashed?

I think the cookie just stores a reference to a session file on the server. After logging in, you will see something like this in Storage > Cookies (eg using Firefox Developer Tools):

This links to a file on the server called sess_9od2taan1lvvljc4o81o3t4da2. If you develop locally, you can open this file in a text editor. You’ll see something like:
(useful for debugging cookies/sessions etc.)

1 Like

The cookie stores the username/password encrypted with a key. The Site Secret Key that was configured in Server Connect. Without the key you can’t decrypt the cookie.

:blush: There you go, still underestimating Wappler. I loved it before. I adore it it now.

Remember Me! :heart_eyes:

So does that mean this is a bug since I have mine set at one day but it never seems to be logged out?

I can confirm this is a bug. Tested on three computers. I have my duration sett to one day:

Yet the cookie expiry date is still 30 days …

Is there a place in the code I can correct this? I assume it’s still being looked at as a bug.

Edit: Found the code. It appears to be correct in the security provider file:

“expire”: 1

But it is definitely still setting the cookie to 30 days.

1 Like

I can confirm this has been fixed in 2.2.2! Yay! Thanks!

1 Like