Remembering website (registered) users - what is best prac..

On 17 Jul 2006 11:57:45 -0700, ship <shiphen.DeleteThis@gmail.com> wrote:
>
>
> Hi
>
> Anyone got strong views on REMEMBERING the user?
>
> What is best practice?
>
> Should this be
> - done using a cookie?
> - done using IP number??
> - done in some other clever way
> - not done at all?!
>
> Rumour has it that cookies that last more than one session
> may end up getting banned. In fact some people say that
> cookies should no used AT ALL for anything!!
>
> What does Google do on its email system?
>
> We have a bidding website which requires users to register.
> But how ofren should the be asked to *re-logon* ?!
>
> My guess is that Gmail uses a cookie that only lasts about 1 week??

The only right way of doing is it is with cookies. I am not sure how
you can operate a site with registered users without already having
answers to such questions.

Another way of doing so is to have session IDs in URLs, a very bad
practice.

i
 >> Stay informed about: Remembering website (registered) users - what is best prac.. 

In article <1153162665.122706.154760 RemoveThis @p79g2000cwp.googlegroups.com>,
"ship" <shiphen RemoveThis @gmail.com> wrote:

macromedia.dreamweaver removed from followups; this has nothing to do
with Dreamweaver.


>
> What is best practice?

Best practice is choosing the appropriate solution for the problem, not
a one-size-fits-all solution.

> Should this be
> - done using a cookie?

That's a very good way of doing it.

> - done using IP number??

Can you guarantee that each of your user will have a unique IP address
that never changes? It's a rhetorical question -- no, you can't, unless
you're on a very unusual network, so using IP addresses is almost
certainly a poor choice.

> - done in some other clever way

Possible, but usually more work and more awkwardness than using cookies.

> - not done at all?!
>
> Rumour has it that cookies that last more than one session
> may end up getting banned. In fact some people say that
> cookies should no used AT ALL for anything!!

Well, if you listen to rumors, you can hear almost anything. My rumor is
that cookies that last more than one session are not going away any time
soon. It may comfort you to know that there's no entity that can
effectively "ban" then. Either browsers support them, or they don't. The
W3C could issue a fatwah against them, but they'd have a hard time
deprecating one of the Web's most frequently used features.


> What does Google do on its email system?

Experiment for yourself -- try disabling cookies in your browser and see
how Gmail and other sites you visit behave without cookies.


> We have a bidding website which requires users to register.
> But how ofren should the be asked to *re-logon* ?!

I depends on how often you want to inconvenience your users with a
logon. This isn't a question we can answer for you.


Ship, cookies are pretty simple and useful. Just realize that they're
sent over the Net in plain text (unless you're on a secure connection)
so don't put anything too valuable in there.

HTH

--
Philip
http://NikitaTheSpider.com/
Whole-site HTML validation, link checking and more
 >> Stay informed about: Remembering website (registered) users - what is best prac.. 

In alt.www.webmaster, Ignoramus18860 wrote:

> On 17 Jul 2006 11:57:45 -0700, ship <shiphen DeleteThis @gmail.com> wrote:
>> Anyone got strong views on REMEMBERING the user?
>>
>> What is best practice?
>
> The only right way of doing is it is with cookies.

Users delete cookies regularly, or don't accept them at all. The only
right^W^Wbest way of doing it is with a database.

--
-bts
-Warning: I brake for lawn deer
 >> Stay informed about: Remembering website (registered) users - what is best prac.. 

"Beauregard T. Shagnasty" <a.nony.mous.RemoveThis@example.invalid> wrote in
news:FFSug.409158$Fs1.170533@bgtnsc05-news.ops.worldnet.att.net:

> In alt.www.webmaster, Ignoramus18860 wrote:
>
>> On 17 Jul 2006 11:57:45 -0700, ship <shiphen.RemoveThis@gmail.com> wrote:
>>> Anyone got strong views on REMEMBERING the user?
>>>
>>> What is best practice?
>>
>> The only right way of doing is it is with cookies.
>
> Users delete cookies regularly, or don't accept them at all. The only
> right^W^Wbest way of doing it is with a database.
>

Methinks you misunderstood the OP's question.
How is a database going to *remember* the user?
Without a cookie, cnce the session is over, the site "forgets" about the
user. A database won't fix that.



--
Karl Groves
www.karlcore.com
 >> Stay informed about: Remembering website (registered) users - what is best prac.. 

ship wrote:

> Should this be
> - done using a cookie?
> - done using IP number??
> - done in some other clever way
> - not done at all?!

Give them a user name and password. When they arrive at your site, make
them log in, start a session for them (session cookies are ideal for this)
and save their login details in their session.

> But how ofren should the be asked to *re-logon* ?!

Once per session.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
 >> Stay informed about: Remembering website (registered) users - what is best prac.. 

In alt.www.webmaster, Karl Groves wrote:

> "Beauregard T. Shagnasty" <a.nony.mous RemoveThis @example.invalid> wrote in
> news:FFSug.409158$Fs1.170533@bgtnsc05-news.ops.worldnet.att.net:
>
>> In alt.www.webmaster, Ignoramus18860 wrote:
>>
>>> On 17 Jul 2006 11:57:45 -0700, ship <shiphen RemoveThis @gmail.com> wrote:
>>>> Anyone got strong views on REMEMBERING the user?
>>>>
>>>> What is best practice?
>>>
>>> The only right way of doing is it is with cookies.
>>
>> Users delete cookies regularly, or don't accept them at all. The only
>> right^W^Wbest way of doing it is with a database.
>
> Methinks you misunderstood the OP's question.
> How is a database going to *remember* the user?
> Without a cookie, cnce the session is over, the site "forgets" about the
> user. A database won't fix that.

Depends on how you use the database, and how you write the pages. <g>

--
-bts
-Warning: I brake for lawn deer
 >> Stay informed about: Remembering website (registered) users - what is best prac.. 

On Mon, 17 Jul 2006 15:52:59 -0500, Karl Groves <karl RemoveThis @NOSPAMkarlcore.com> wrote:
> "Beauregard T. Shagnasty" <a.nony.mous RemoveThis @example.invalid> wrote in
> news:FFSug.409158$Fs1.170533@bgtnsc05-news.ops.worldnet.att.net:
>
>> In alt.www.webmaster, Ignoramus18860 wrote:
>>
>>> On 17 Jul 2006 11:57:45 -0700, ship <shiphen RemoveThis @gmail.com> wrote:
>>>> Anyone got strong views on REMEMBERING the user?
>>>>
>>>> What is best practice?
>>>
>>> The only right way of doing is it is with cookies.
>>
>> Users delete cookies regularly, or don't accept them at all. The only
>> right^W^Wbest way of doing it is with a database.
>>
>
> Methinks you misunderstood the OP's question.
> How is a database going to *remember* the user?
> Without a cookie, cnce the session is over, the site "forgets" about the
> user. A database won't fix that.


Exactly. You have to give a user some sort of proof that he or she is
authenticated, and identify their connection. That is what's stored in
the cookie, and a database could possibly complement that by
associating even more information with their session id.

i
 >> Stay informed about: Remembering website (registered) users - what is best prac.. 

Toby

> > Should this be
> > - done using a cookie?
> > - done using IP number??
> > - done in some other clever way
> > - not done at all?!
>
> Give them a user name and password. When they arrive at your site, make
> them log in, start a session for them (session cookies are ideal for this)
> and save their login details in their session.

Yes, yes - make them enter username (email address) and a password of
their own choice. All stored in a database.

I can't decide if we should validate the email address before they are
allowed
to continue... or not!


> > But how ofren should the be asked to *re-logon* ?!
>
> Once per session.

It seems me that logging back in EVERY time you visit a site is a
MIGHTY pain!

I guess we could give the user the choice: i.e. as the user if they
would like
to "Remember me on this computer? "

If they say "no" then we store nothing.

But if they say "yes", then we should store their username in a cookie
so that it's always there... and put their password into a cookie that
expires in what, 2 or 3 of days?

Afterall I have to use this site myself and I dont want to spend my
life re-entering
my frickin password!


Ship
Shiperton Henethe
 >> Stay informed about: Remembering website (registered) users - what is best prac.. 

Nikita

> > We have a bidding website which requires users to register.
> > But how ofren should the be asked to *re-logon* ?!
>
> I depends on how often you want to inconvenience your users with a
> logon. This isn't a question we can answer for you.

I want to inconveniece our users AS LITTLE AS POSSIBLE, of course.
But I dont want to violate the confidentiality of their data etc
either!

Hence my question about "best practice".


Ship
Shiperton Henethe
 >> Stay informed about: Remembering website (registered) users - what is best prac.. 

> However long you set the cookie to last before requiring the user to
> logon again, it is essential that they still need to log on once per
> session to place a bid, otherwise this will ruin your reputation for
> security (since not everybody using a public will thnk to delete
> cookies or log out when they leave the site). eBay remembers you for
> about a week, unless it recognises that you log on from another IP
> address and even then, normally only lets you view items, not place a
> bid or access your personal details.

Not sure that I completely follow this.
eBay is remembering you for about a 1 week, using cookies presumably
(?).
But it is also storing your IP address, which I presume must not change
or else you'll be forced to re-enter your pw (and userID)??

Not sure about FORCING users to register before placing a bid. That
sounds
inconvenient. On our site you see they *pay* to bid in any case (which
makes
the winning bids much lower)...

Ship
Shiperton Henethe



>
> Make sure you have a correct privacy policy in any case to cover your
> database and any cookies you create.
>
> --
> Rich Mellor
> www.rwapservices.co.uk
 >> Stay informed about: Remembering website (registered) users - what is best prac.. 

ship wrote:
> > However long you set the cookie to last before requiring the user to
> > logon again, it is essential that they still need to log on once per
> > session to place a bid, otherwise this will ruin your reputation for
> > security (since not everybody using a public will thnk to delete
> > cookies or log out when they leave the site). eBay remembers you for
> > about a week, unless it recognises that you log on from another IP
> > address and even then, normally only lets you view items, not place a
> > bid or access your personal details.
>
> Not sure that I completely follow this.
> eBay is remembering you for about a 1 week, using cookies presumably
> (?).
> But it is also storing your IP address, which I presume must not change
> or else you'll be forced to re-enter your pw (and userID)??

Yes that seems to be correct - they use a cookie and IP address if the
IP address is unchanged since last time you use the site and the cookie
is still valid, then you do not need to log on to access your details.

>
> Not sure about FORCING users to register before placing a bid. That
> sounds
> inconvenient. On our site you see they *pay* to bid in any case (which
> makes
> the winning bids much lower)...
>

Yes, I can see the logic in that - however, if you are asking users to
enter their payment details each time they wish to bid, that is surely
more inconvenient than asking them to log on once per session?

If you are storing payment details on your database, I am sure there
must be guidelines as to how these are stored - ie. encryption, access
rules etc. Certainly as a user, I would want to see a strict privacy
statement and strong security here.

Rich Mellor
www.internetbusinessangels.com
 >> Stay informed about: Remembering website (registered) users - what is best prac.. 

ship wrote:
> Nikita
>
>
>>>We have a bidding website which requires users to register.
>>>But how ofren should the be asked to *re-logon* ?!
>>
>>I depends on how often you want to inconvenience your users with a
>>logon. This isn't a question we can answer for you.
>
>
> I want to inconveniece our users AS LITTLE AS POSSIBLE, of course.
> But I dont want to violate the confidentiality of their data etc
> either!
>
> Hence my question about "best practice".
>
>
> Ship
> Shiperton Henethe
>

It depends on the users and data.

A bank might use criteria of forcing the user to re-logon if inactive
for more than 10 minutes or a total session time of over 1 hour. Sites
with less critical data might use 30 minutes/4 hours. And completely
innocuous sites might log people on automatically (based on a cookie)
and never log them off.

So there's no "best practice" here. It all depends on how important it
is to protect access to the information. Like almost everything, it's a
trade off, this one between security and convenience.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex.TakeThisOut@attglobal.net
==================
 >> Stay informed about: Remembering website (registered) users - what is best prac.. 

Jerry Stuckle <jstucklex.TakeThisOut@attglobal.net> wrote in
news:tIidnddHfJJ1VSHZnZ2dnUVZ_sCdnZ2d@comcast.com:

> ship wrote:
>> Nikita
>>
>>
>>>>We have a bidding website which requires users to register.
>>>>But how ofren should the be asked to *re-logon* ?!
>>>
>>>I depends on how often you want to inconvenience your users with a
>>>logon. This isn't a question we can answer for you.
>>
>>
>> I want to inconveniece our users AS LITTLE AS POSSIBLE, of course.
>> But I dont want to violate the confidentiality of their data etc
>> either!
>>
>> Hence my question about "best practice".
>>
>>
>> Ship
>> Shiperton Henethe
>>
>
> It depends on the users and data.
>
> A bank might use criteria of forcing the user to re-logon if inactive
> for more than 10 minutes or a total session time of over 1 hour. Sites
> with less critical data might use 30 minutes/4 hours. And completely
> innocuous sites might log people on automatically (based on a cookie)
> and never log them off.
>
> So there's no "best practice" here. It all depends on how important it
> is to protect access to the information. Like almost everything, it's a
> trade off, this one between security and convenience.
>
>


I agree with Jerry that there's no "right" and "wrong" way to handle this.
If your users' accounts contain sensitive information, or if they're able
to interact with sensitive information (be it yours or theirs), then you
may even want to expire their session after a few minutes of inactivity.

On the other hand, if it is just a messageboard, you might want to set a
cookie that never expires.



--
Karl Groves
www.karlcore.com
 >> Stay informed about: Remembering website (registered) users - what is best prac..