Remember-Me settings and configuration for the Loginapp REST API

Example template as a starting point

The Airlock IAM configuration template Demo configuration using the Loginapp REST UI features a complex authentication flow using the Remember-Me feature for the here described use-case.

The demo configuration shows how to configure many IAM features – you may want to check it out.

Global Remember-Me settings

Only one Remember-Me cookie can be stored in a browser/device for all authentication flows. The Remember-Me steps may be used in several flows and grant different sets of tags but they all refer to the same cookie and the same settings. See also Limitations.

The global Remember-Me settings for all flow steps are configured here:
Loginapp >> Authentication Flows >> Remember-Me Settings

global_Remember-Me_settings

Configuration hints for selected configuration properties:

Setting

Configuration hints

Repository

  • Database repository that is used to store the Remember-Me data.

Logout Behaviour

  • Options:
  • REMOVE_COOKIE (the default) - this will remove the cookie on logout. This is the recommended setting for Keep me logged-in use cases. Hint: Do not configure a Logout propagation path in the IAM mapping on Airlock Gateway (WAF).
  • KEEP_COOKIE – this will keep the cookie after logout. This is the recommended setting for Trust my browser use cases.

Lifetime, Idle Timeout

  • Lifetime vs. idle timeout:
  • The lifetime value determines the absolute expiration time.
  • The lifetime of a token should be limited to a reasonably short value. The rule of thumb is: as long as necessary to fulfill the purpose, but as short as possible to minimize the risk of potential attacks.

  • The idle timeout value is optional and determines the maximum idle time between two logins before a Remember-Me token is invalidated. Choose a timeout that is lower than the lifetime value.

Both settings allow values in days, hours, or a combination of both.

Cookie Name

  • The name of the Remember-Me cookie. Make sure that the cookie name is listed as either Encrypted cookie or Passthrough cookie in the IAM's mapping on Airlock Gateway (WAF). The default cookie name RememberMe is listed in the IAM mapping template (see Configuration of IAM mappings).
  • If the name of the Remember-Me cookie is changed, all existing Remember-Me cookies in browsers/devices are no more considered by Airlock IAM.

Cookie Domain, Cookie Path

  • Configure the domain and path so that the cookie is sent back to IAM for verification.
  • Please refer to the documentation in the Config Editor for further information.

For further information on configuration properties, please refer to the documentation in the Config Editor.

Flow step configuration

The Remember-Me feature offers two flow steps:

  • Remember-Me User Identifying Step
  • Remember-Me Token Generating Step

They automatically use the global Remember-Me settings (see above).

The steps need to be placed carefully and in the correct order to work securely and as desired. The following table gives some hints for known use cases. If using the step for other use cases, consider carefully where the steps are placed in the flow.

Flow step name and purpose

Use case

Position within authentication flow

Remember-Me User Identifying Step – this flow step checks the Remember-Me cookie.

  • Use cases in which the Remember-Me feature is used to identify who is logging in.
  • Example: Keep me logged-in
  • This step is usually the first step in the flow that identifies the user. Often it is also the first step of the flow.
  • This step must be placed after the first used identifying step. Usually, the step is placed after the password check step.

Remember-Me Token Generating Step – this flow step generates the cookie with the Remember-Me token.

  • For all use cases.
  • The step position within the flows is relevant for the overall security:
  • Never place it before the user is authenticated.
  • Use a Pre Condition as a guard against erroneous configurations.
    • Example:
    • Use Has Strong Authentication Tag as a precondition to guarantee that the Remember-Me cookie is only issued if the user has been strongly authenticated.
  • Usually, place the step at the end of the authentication flow or after the last authenticating step used in the flow. For example before token migration, terms of services, and alike.
  • This step is usually (but not necessarily) activated by the end-user using the dynamic step activation (DSA) feature.

Other Remember-Me-related settings

Setting

Supportive information

Consistency listener

  • In the User Data Source, e.g. plugin Database User Persister, add the plugin Remember-Me Consistency User Change Listener to the list of User Change Event Listeners. This is required for data consistency if a user is deleted or the username is changed.

Remember-Me token migration

To make the Remember-Me User Identifying Step accept cookies that have been issued by the JSP-Loginapp's Remember-Me feature, use the property JSP Remember-Me Settings: it references the old Loginapp's Remember-Me settings so it can extract and decode its Remember-Me cookies.

Remember-me Token Reset Step

The Remember-me Token Reset Step may be used to log out all remembered browsers/devices. It is, for example, good practice to log out all remembered browsers/devices after the end-user sets a new password (password reset and voluntary password change).