Rick McCharles ✅
joey castilloI feel like every web site with a “Keep Me Logged In” checkbox should have a FAQ entry titled “Why Doesn't The ‘Keep Me Logged In’ Checkbox Keep Me Logged In,” and the answer should be “Because we hate you.”
omg a hit toot! um I don't have a spotify so I guess buy some of my stickers? I'm really trying to make 2023 the Year of the Standard Hexagon Sticker: https://shop.oddlyspecificobjects.com/products/spring-2023-sticker-sheet
Andrew LeCody@joeycastillo Hexagons are the bestagons after all
Blake Leonard@andrewlecody @joeycastillo Unfortunately they don't tile well on non-hexagonal objects like laptops, hydroflasks, or light poles...
@blake @andrewlecody If you get enough of them together tho it looks kinda rad anyway! (as seen at CTRL-H in Portland over the weekend)
Or is it PDX Hackerspace? I saw both names on the schedule and was confused, in case anyone in that scene runs across this…
Laura@joeycastillo Those are actually quite nice
To everyone saying this is a browser issue, I assure you it isn't. The thing that triggered this annoyance was Delta's website which, despite having a “Remember Me” checkbox, also has a countdown timer to getting logged out after some time. Someone suggested that it might be related to PCI-DSS compliance: like maybe it remembers me as long as I don't do anything that triggers that flow (like searching for a flight, lol) but then it HAS to log me out for applicable regulatory compliance purposes.
Michael K Johnson@joeycastillo However, their Android app doesn't seem to do the same thing, which makes me wonder about it being for regulatory compliance...
Enrico@joeycastillo Not only is that a site that never remembers me, even a half hour later, but it also requires a login ID, password, *and* last name which my autofill cannot handle, apparently. And the last name field doesn't show at first, so it autofills and I can click login before the third (non-auto-filled) field is revealed.
Cyper Bunk@joeycastillo no, it hates you
Kelvin n0mql EN35ldThe [x]Remember Me checkbox, upon being clicked, should pop up a window that says
"nu website, who dis?"
Jon Rowe@kelvin0mql @joeycastillo or just a cookie monster gif
Simon Walters@joeycastillo I think on 90% of sites - there is no code behind those checkboxes :)
BlueShiftNZBrought to you by the same people that make the "Door Close" buttons in elevators.
Lukas Weidinger@joeycastillo
I love when that happens. That tells me that cookies have been deleted 🍪🚮
I love when that happens. That tells me that cookies have been deleted 🍪🚮
Mike Taylor 🦕@lukasweidinger @joeycastillo Sadly, no; only that THAT cookie has been deleted.
Jake in the desert@joeycastillo yeah, they still can't figure that one out, huh. hahaha
MostlyTato@joeycastillo
On a particular website, if I don't check it, it randomly logs me out. Why would anyone want that? If I do check it, it randomly logs me out a lot less.
On a particular website, if I don't check it, it randomly logs me out. Why would anyone want that? If I do check it, it randomly logs me out a lot less.
Oliver Kamer@joeycastillo The answer is that logged in is not a binary state.
@joeycastillo We use a model where logged-in-ness is a sliding scale from 0 to 1 and depending what you are trying to do (and the potential damage it could cause) you need a different threshold. Ordering something to an existing address using a known credit card will be a lower threshold than ordering something using a net 30 invoice to a new address. As such we use different factors such as last time you logged in, IP address, UA agents and such to determine logged-in-ness.
dbrand666@olikami @joeycastillo
Yes, but that's not what he's talking about.
There are many sites that have a remember me checkbox but will send you straight back to the login page every time you return.
@dbrand666 @joeycastillo hmm i guess I don't use those sites as much. I only know of one site I regularly use that does that. But it's only when I also use it on a different device, which makes me think that they use a 1to1 relationship for tokens or something stupid like that.
Lorrie
Ric@joeycastillo actual login functionality generally works by creating a session, but "remember me" functionality generally works by creating a cookie, because PCI-DSS compliance requires that sessions expire after a short period of inactivity. These cookies come under the optional category though, so if you reject them via the annoying cookie pop-up, you're effectively unchecking the "remember me" checkbox. Also, some browsers, like Firefox, default to cleaning cookies up as if they're sessions.
івась тарасик@joeycastillo keeping you logged in is a security risk.
how do sites «keep you logged in»? usually by storing a unique session id in a... cookie.
the same cookie could potentially permit the owner of that site to track your activity online to some extent. sure you want that?
also, ever had your kid open the browser three days later and have your session still open, with maybe your credit card set up for «easy transactions»?
don't be lazy, never ever click «keep me logged in».
Wolf480pl@tivasyk @joeycastillo
The "keep me logged in" checkbox was a mistake. It should've been a date picker from day one.
"keep me logged in"
"ok, but for how long?"
@wolf480pl this reminds me of another pet peeve: all recurring meetings should have an end date. it irks me that the weekly catch-up will still be happening long after I am / we're all dead.
Henry Henderson@joeycastillo or Microsoft’s “Don’t ask again” which proceeds to always ask again.
Jonathan Smith@henryhenderson @joeycastillo Hmmm... Twitter's "Ask less often" is terrible. Don't ask again! Ever! I don't want notifications! If I do, I'll turn them on myself!
@ZevEisenberg, looks like you were leading the trend on this rant yesterday!
Veedems@joeycastillo every single month, when I go to pay my mortgage, I have to have the MFA token and it’s supposed to authorize my browser for 180 days. It never does. Ever.
It’s almost like the pedestrian buttons at the crosswalks that don’t actually do anything.
Emily S@joeycastillo the supermarket I do my weekly shop at will keep you logged in for some time less than seven days.
Do NOT Fear|🇺🇸🇺🇦🐊🦉🌊💙@joeycastillo don't let the 1st party Reddit app dev team see this, they might stroke out
Teeks 🏴Ⓐ@joeycastillo Haha, I can't agree more! It's always a mystery tour when that "Keep Me Logged In" box fails to deliver on its promise. Can we start a petition for this FAQ entry? 😂 #ux
Snail@joeycastillo See Also: "Why isn't the cookie used to remember my cookie settings a required cookie?"
Paul Houle@joeycastillo or “your web browser’s cookie rules hate you” or “the browser plugin that you love so much hates you”….
FS9-BS "Bad Survivor"@joeycastillo I feel like you're literally me wanting to throw Microsoft into a river right now lol
Cassandrich@joeycastillo So much this. Every single site that has a checkbox like this fails to properly preserve login sessions, and it's like the box is just there to say 🖕🖕🖕
x0@dalias @joeycastillo Actually the FAQ entry should say your browser and/or its privacy settings hate us
@dalias @joeycastillo Some browsers make all cookies expire even the ones that aren't set to, some delete them randomly, some refuse to store them at all etc.
@x0 @joeycastillo Nope, that's not what's happening. I have plenty of login sessions that have been alive for 2+ years. I never wipe/expire cookies for sites I want persistent state on. These sites are breaking things themselves.
@dalias @joeycastillo Huh. Do their own cookies have an expiration? Weird. That's not how that's supposed to work.
@x0 @joeycastillo Either their own cookies have an expiration, or they reference a server-side object that has an expiration.
For example I know GitLab's "keep me logged in" actually only works up to an instance-configured maximum, which is something like 7 days by default. Infuriating when the whole reason you have the account is to interact with bug reports.
Thingiverse has one that doesn't even last a day though. 🤦
@dalias @joeycastillo And educational platforms don't even have the option, causing the login to not even persist beyond that one session. Which is severely annoying when I'm interacting with blackboard from home and always have to go through SSO.
@x0 @joeycastillo LOL, just now a banner:
"We introduced major improvements in our login system. If you are experiencing trouble signing in, please clear your Thingiverse cookies to start using the new system."
Wonder if it's still just as broken. 🤔 🤡
efhaichdee@joeycastillo you're erasing your cookies or have your browser set to prevent or reject them.
Anthony Bosio@joeycastillo Followed closely by MFA checkbox, “Don’t ask again on this device.”
Chris is.@joeycastillo I see you, too, use tripit.
Angie@joeycastillo This is as annoying as those sites where you purchase something and you check the box saying "don't add me to your spam list" and guess what? You're added. I only wanted to order one thing, not be a lifetime getting your damn emails.
Waterluvian“Because you screw with your cookies.”
pejacoby@joeycastillo I counter punch with “Why the fuck does NextDoor and Instagram think ‘logout’ means ‘oh sure when you click that other link we’ll just log you right back in…’”
@joeycastillo and the corollary -- why doesn't clicking the "Log Out" link LOG ME OUT?
Follow any link in a NextDoor or Instagram email notification and you are LOGGED IN, even after explicitly logging out last time you tempted fate.
INVALIDATE THE FREAKING SESSION MF'er….