Keep me logged-in – persistent authentication between sessions

Initial thoughts

The following example targets a simple but common use case with username and password authentication. The Keep me logged-in checkbox on the login screen activates the Remember-Me feature which automatically identifies the user when using the same browser. This can be used to simplify the login process, e.g. skip the password check.

63972174.png

It roughly works as follows:

After successful authentication, IAM stores a persistent Remember-Me cookie in the browser. If the user returns with the same browser on a new session, the Remember-Me cookie is validated and the user does not have to enter the username and password when logging in.

  • For subsequent sessions with the same browser, the login process is simplified until:
  • The Remember-Me cookie has expired (in the browser or on IAM).
  • The Remember-Me cookie has been tampered with.
  • A different user logs in with the same browser (not using the browser's private mode).
  • A user administrator has deleted the stored Remember-Me token on IAM.
  • The user explicitly logs out (assuming that logout behavior is configured to remove the cookie on logout). In this case, a new Remember-Me cookie is only issued after re-authentication.

Note that we strongly recommend limiting the validity time of the Remember-Me cookie in the configuration.

Prerequisites

Our use case requires a simple flow with the following steps in the shown order:

simple_Remember-me_flowsteps

Step name

Tags/Guards

Description

Step 1 –
Remember-Me User Identifying Step

  • Tags On Success:
  • WEAK_AUTHENTICATION
  1. This step validates the Remember-Me cookie:
  2. If the token from the user's cookie is valid, step 2 is skipped because of the issued tag in this step and the skip condition in the next step.
  3. If the token is missing or the token is invalid, the user has to proceed with step 2, because no tag is issued in this step.

Step 2 –
Username Password Authentication Step

  • Skip Condition
  • Has WEAK_AUTHENTICATION
  • Tags On Success
  • WEAK_AUTHENTICATION
  • PASSWORD_VERIFIED
  • Activates
  • Step 3

This step checks the user and password and issues a tag if successful.

Additionally, it may activate the next step using the dynamic step activation (DSA) feature. This leads to the Keep me logged-in check being shown on the login page.

Step 3 –
Remember-Me Token Generating Step

  • Pre Condition
  • PASSWORD_VERIFIED

This step needs to be activated.

This step generates a Remember-Me cookie, sends it to the browser, and stores the necessary information in the IAM database.

The step needs to be activated using the dynamic step activation (DSA) feature. If it is not activated, it is skipped.

The precondition assures that the step can only be executed after successful username password verification. The precondition can be used to avoid configuration mistakes and is not strictly necessary in this example flow.

To get the expected results, the logout behavior configuration of the Remember-Me feature must be set to REMOVE_COOKIE.

Example sequences with and without the Keep me logged-in checkbox enabled

The following simplified sequence diagram shows three different sessions. The authentication step is skipped due to successful Remember-Me cookie validation only in Session 2.

remember-me cookie
  1. Session 1 and Session 2
  2. When Session 1 starts, there is no Remember-Me cookie and thus Remember-Me User Identifying Step does nothing. The user enters the username password and checks the Keep me logged-in checkbox.
  3. On successful authentication, IAM generates a new Remember-Me cookie. The Remember-Me cookie is sent to the browser and the necessary information is stored in the IAM database.
  4. The user closes the browser (no explicit logout) and Session 1 is terminated because of a session timeout.
  5. The Remember-Me cookie is still in the browser and the corresponding data in the IAM database is still valid.
  6. When Session 2 starts, the Remember-Me cookie token is sent to Airlock IAM.
  7. Because the cookie token is valid, the IAM authentication flow skips the username + password step.
  8. At the end of Session 2, the user uses the logout button to end the session.
  9. Airlock IAM invalidates the Remember-Me cookie both in the browser and the IAM database, because of the user's logout. On the next login, the username + password step can not be skipped anymore.
  1. Session 3
  2. At the end of Session 2, the Remember-Me cookie has been invalidated because of the logout in step 5.

  3. When Session 3 starts, no Remember-Me cookie is sent to IAM. Therefore, the user is asked to enter the username and password. The user chooses not to check the Keep me logged-in checkbox.
  4. No new Remember-Me cookie is generated.

Additional information

The Airlock IAM configuration template Demo configuration features a complex authentication flow using the Remember-Me feature for the here described use-case.

The demo configuration shows how to configure many IAM features – you may want to check it out.