Initial thoughts
The following example targets a simple but common use case with username and password authentication. The Keep me logged-in checkbox on the login screen activates the Remember-Me feature which automatically identifies the user when using the same browser. This can be used to simplify the login process, e.g. skip the password check.
It roughly works as follows:
After successful authentication, IAM stores a persistent Remember-Me cookie in the browser. If the user returns with the same browser on a new session, the Remember-Me cookie is validated and the user does not have to enter the username and password when logging in.
- For subsequent sessions with the same browser, the login process is simplified until:
- The Remember-Me cookie has expired (in the browser or on IAM).
- The Remember-Me cookie has been tampered with.
- A different user logs in with the same browser (not using the browser's private mode).
- A user administrator has deleted the stored Remember-Me token on IAM.
- The user explicitly logs out (assuming that logout behavior is configured to remove the cookie on logout). In this case, a new Remember-Me cookie is only issued after re-authentication.
Note that we strongly recommend limiting the validity time of the Remember-Me cookie in the configuration.