twtxt

Timeline for https://eapl.me/twtxt.txt

🔄 Refresh timeline

👨‍💻 Login

Following: 16

tkanos https://twtxt.net/user/tkanos/twtxt.txt Remove

eaplme https://eapl.me/twtxt.txt Remove

eaplmx https://eapl.mx/twtxt.txt Remove

lyse https://lyse.isobeef.org/twtxt.txt Remove

prologic https://twtxt.net/user/prologic/twtxt.txt Remove

rrraksamam https://twtxt.net/user/rrraksamam/twtxt.txt Remove

darch https://neotxt.dk/user/darch/twtxt.txt Remove

shreyan https://twtxt.net/user/shreyan/twtxt.txt Remove

movq https://www.uninformativ.de/twtxt.txt Remove

bender https://twtxt.net/user/bender/twtxt.txt Remove

stigatle https://yarn.stigatle.no/user/stigatle/twtxt.txt Remove

darch http://darch.dk/twtxt.txt Remove

xuu https://txt.sour.is/user/xuu/twtxt.txt Remove

jason https://jasonsanta.xyz/twtxt.txt Remove

mckinley https://twtxt.net/user/mckinley/twtxt.txt Remove

eapl-mes-7-daily-links https://feeds.twtxt.net/eapl-mes-7-daily-links/twtxt.txt Remove


prologic
Reply to #p3li7rq
@bender Hmmmm I'm not sure about this... 🧐 Does anyone have any other opinions that know this web/session security better than me?
1 month ago
💬 Reply


lyse
Reply to #n2er4fq
@prologic I do NOT claim to be an expert in that realm. I've seen different things being implemented in the guise of "remember me". But I reckon the most common scheme, when this checkbox is activated, is to issue a dedicated, long-lived refresh token in a login cookie. I'm sure it is known under several different names. This "remember me" login cookie is separate from the actual short-lived session cookie.

Part 2 of this answer explains it fairly well: https://stackoverflow.com/a/477578 Also, this was a nice read: https://web.archive.org/web/20180819014446/http://jaspan.com/improved_persistent_login_cookie_best_practice

It depends on your threat model, but the use of public computers in libraries, internet cafés or similar is probably the most relevant here, when arguing against activating "remember me". These days, shared computer use is declining I'd assume. With twtxt being a niche for more computer-affine folks, I'd reckon this threat is not that high up the list. On the hand, you want to bring yarnd to the average non-nerd user, so this threat might actually rank more important.

It's probably okay and safe enough to remove "remember me" entirely and just issue a long-lived session cookie and be done with that. Optionally, power users or the administrator could benefit from configurable cookie lifetime(s).
1 month ago
💬 Reply


prologic
Reply to #n2er4fq
@lyse I'll buy that argument 👌
1 month ago
💬 Reply


prologic
Reply to #n2er4fq
@eldersnake Like a "I'm on a public terminal" type thing? Which has the opposite effect? With some helpful descriptive text? 🤔
1 month ago
💬 Reply


lyse
Reply to #n2er4fq
@prologic @eldersnake I'd avoid the inverted logic. Checking a setting to disable a feature always feels wrong and confusing to me. I'd rather suggest to enable the checkbox by default. But I'm with you, an explanation what it does is definitely helpful. Maybe something along those lines: "Enabling this feature will keep you logged in, even after closing your browser. Do not activate this setting on shared devices."
1 month ago
💬 Reply


prologic
Reply to #n2er4fq
@lyse I'm so confused now 🤣
1 month ago
💬 Reply


lyse
Reply to #n2er4fq
@prologic How so? Which part did I manage to confuse you with?
1 month ago
💬 Reply


prologic
Reply to #n2er4fq
@lyse Specifically:

> I’d rather suggest to enable the checkbox by default

I'm no longer sure between the discussion(s) how this should behave or look like now 🤣
1 month ago
💬 Reply


lyse
Reply to #n2er4fq
@prologic Visiting the login page would give you something like this:

```
Username: _<focused field>____
Password: ____________________
[x] Remember me (Enabling this feature will keep
you logged in, even after closing your browser.
Do not active this setting on shared devices.)
[Login]
```

The "remember me" checkbox could be already activated by default. This would benefit people like @bender.

An alternative would be to make the session lifetime configurable in the user profile. So bender would then set this to forty-two years. :-) Definitely something for power users who know what they're doing. More dangerous for the average Joe, though.
4 weeks ago
💬 Reply


prologic
Reply to #n2er4fq
@lyse Ahh! I can do that, at least the first part. That's trivial!
4 weeks ago
💬 Reply


prologic
Reply to #n2er4fq
Done
4 weeks ago
💬 Reply


⏭️ Next