Persistent Login

Overview

The Persistent Login module provides a "Remember Me" option on the user login form. Persistent Login is independent of the PHP session settings and is more secure (and user-friendly) than simply setting a long PHP session lifetime.

The 7.x version provides additional security by attempting to detect unauthorized re-use of tokens. For a detailed discussion of the design and security of Persistent Login, see Improved Persistent Login Cookie Best Practice.

Features

• Control how long user logins are remembered, before a user will have to enter their credentials again.
• Control how many different persistent logins are remembered per user.
• Control which pages a remembered user can or cannot access without explicitly logging in with a username and password (e.g. you cannot edit your account or change your password with just a persistent login). (7.x only)
• A user can clear all of his/her remembered logins via their account page. (7.x)

Known Issues

• 7.x
  • #327263: Security warning triggered by simultaneous requests: If a user opens several pages of a website simultaneously, the first request will invalidate the token and may cause the subsequent requests to trigger the security alert.
  • #1395996: It doesn't keep login when using OpenID login: OpenID logins don't provide the information required for Persistent Login to set tokens for the user.

Get Involved

If you're interested in getting involved in module development but don't know where to start, reach out to gapple (@gappleca on Twitter).