[CONFSERVER-22650] Login page should be configurable to check "Remember me" by default

Type: Suggestion
Resolution: Won't Fix
Fix Version/s: None
Component/s: None
Labels:
- affects-server
- web-interface

Feedback Policy:

We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

There should be a configuration available through "Confluence Admin" that sets the "Remember me" checkbox on the login page to be checked by default.

Though I don't have any suggestions to offer regarding the current UI, I find that most users aren't really aware of the checkbox, nor do they investigate it. They just skip over it directly to "Log In". Most of these users instead choose to have their web browser remember the password - which is less secure, as it requires the web browser to remember the password, instead of just a cookie that stores the Confluence session ID - from which the password cannot be retrieved.

I'm including a patch for login.vm that can be used to change the checkbox to be checked by default. This is not an ideal work-around, as the patch will need to be re-applied with any upgrade to Confluence.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

loginRememberMeDefault.patch
13/Jun/2011 10:15 PM
2 kB
MarkZ
loginRememberMeDefault.patch
01/Jun/2011 1:48 PM
2 kB
MarkZ

Mario Ecimovic added a comment - 20/Mar/2013 8:42 AM

This option would be very interesting for our company because of the following (please reroute me to some other issue if exists):
When user gets email notification about change on some Confluence page, he clicks on the link. Confluence asks for login, so user logs in, everything OK here. But, when he clicks on some other page (or even on the same page), Confluence asks him once again to log in. It's like the given (first) authentication "works" only for that page (and click). This case is on IE9. On Firefox, it works OK. In Firefox, I can login once and navigate to other pages without problems. Workaround is to check "Remember me" option in IE, but it's unconvenient for most users to do that every time they log in. Since hundreds of users use IE9, it's much easier that we have default option "Remember me" checked.
Any ideas?

Mario Ecimovic added a comment - 20/Mar/2013 8:42 AM This option would be very interesting for our company because of the following (please reroute me to some other issue if exists): When user gets email notification about change on some Confluence page, he clicks on the link. Confluence asks for login, so user logs in, everything OK here. But, when he clicks on some other page (or even on the same page), Confluence asks him once again to log in. It's like the given (first) authentication "works" only for that page (and click). This case is on IE9. On Firefox, it works OK. In Firefox, I can login once and navigate to other pages without problems. Workaround is to check "Remember me" option in IE, but it's unconvenient for most users to do that every time they log in. Since hundreds of users use IE9, it's much easier that we have default option "Remember me" checked. Any ideas?

MarkZ added a comment - 13/Jun/2011 10:15 PM - edited

Included header comment in file / patch with link to this ticket.

MarkZ added a comment - 13/Jun/2011 10:15 PM - edited Included header comment in file / patch with link to this ticket.

Matt Ryall added a comment - 02/Jun/2011 1:30 AM

Thanks for the suggestion, Mark.

We recently changed the login page to make it opt-in for 'Remember me'. This is a security feature of Confluence and designed to prevent people accidentally storing authentication cookies on public or shared computers.

Unless there's a lot more demand for this, we aren't planning to change our decision or add more security options to Confluence. Our current position is that enabling 'Remember me' by default makes it too easy for Confluence authentication cookies (which are valid for two weeks by default) to be inadvertently shared by users.

Matt Ryall added a comment - 02/Jun/2011 1:30 AM Thanks for the suggestion, Mark. We recently changed the login page to make it opt-in for 'Remember me'. This is a security feature of Confluence and designed to prevent people accidentally storing authentication cookies on public or shared computers. Unless there's a lot more demand for this, we aren't planning to change our decision or add more security options to Confluence. Our current position is that enabling 'Remember me' by default makes it too easy for Confluence authentication cookies (which are valid for two weeks by default) to be inadvertently shared by users.

Details

Description

Attachments

Attachments

Forms

Activity

Collapse comment: Mario Ecimovic added a comment - 20/Mar/2013 8:42 AM

Expand comment: Mario Ecimovic added a comment - 20/Mar/2013 8:42 AM

Collapse comment: MarkZ added a comment - 13/Jun/2011 10:15 PM, Edited by MarkZ - 29/Jun/2011 6:29 PM

Expand comment: MarkZ added a comment - 13/Jun/2011 10:15 PM, Edited by MarkZ - 29/Jun/2011 6:29 PM

Collapse comment: Matt Ryall added a comment - 02/Jun/2011 1:30 AM

Expand comment: Matt Ryall added a comment - 02/Jun/2011 1:30 AM

People

Dates