How does remember me differ from session timeout

So what would a remember me bring to the party?

What’s important to distinguish here is the difference between a “session cookie” and a “remember me cookie”.

Since HTTP is a stateless protocol, a session cookie is used to tie several requests to a single user. Without it, every single request to your webserver is completely unrelated to every other request. Can you imagine writing applications without sessions? Every request is completely empty, no logins, no session variables..every request is an unknown user! This basically means no web applications!

Now, important thing here is to realise that you absolutely don’t want your session to last 24 hours! In my book, this is a very big no-no. The shorter your session is, the safer it is (at least theoretically). Why? Because a session can be hijacked! The longer your session is around, the more chance it has of being hijacked.

For example, imagine a banking application. Also, imagine your user is accessing it on a public PC (our user is not the brightest). So he’s managing his account or whatever..and his phone rings. Being an idiot, he takes the call and leaves, without logging out. Do you want your session to expire in 5 minutes, 15 minutes, or 24 hours? Don’t know about you, but for something as critical as online banking, I want that session gone ASAP.

Moving on to the “remember me” part.

So session cookie “connects” multiple requests in a single session, what does the “remember me” cookie do? In simple terms: it ties multiple sessions to a single user.

You want your site to be easy and pleasant to use, and logging in is almost never pleasant. It’s just an annoying thing you have to do every time before doing that thing you really want to do. A remember me cookie removes that annoyance.

You log in once, check the box, and now you’re always logged in on that PC. This is why you should never use “remember me” feature while on a shared PC, because the next person will have your identity. Legitimately. This is why remember me cookies are also a security risk, they can be hijacked much like the session cookie.

Finally, there is one crucial difference between a session cookie and a remember me cookie: expiration. Session cookies normally expire when you close your browser (or after a time you’ve specified explicitly), whereas remember me cookies typically last for much longer.