Skip to main content

Remember Me

Implementing "Remember Me" functionality for extended sessions.

Overview

"Remember Me" allows users to stay logged in for extended periods (30 days) instead of requiring re-authentication when the browser closes.

How It Works

  1. User checks "Remember Me" checkbox during login
  2. Preference is stored in session
  3. Session expiry is set to 30 days (instead of browser session)
  4. User stays logged in even after browser closes

Implementation

Frontend: Login Form

Add a checkbox to your login form:

<!-- templates/login.html -->
<form method="post" action="{% url 'sva_oauth_client:login' %}">
    {% csrf_token %}
    <div>
        <label>
            <input type="checkbox" name="remember_me" value="true">
            Remember me for 30 days
        </label>
    </div>
    <button type="submit">Sign In with SVA</button>
</form>

Backend: Automatic Handling

The package automatically handles "Remember Me" when the login form is submitted via POST:

  1. remember_me preference is stored in session during login initiation
  2. When tokens are exchanged, session expiry is set based on preference:
    • Remember Me enabled: Session expires in 30 days
    • Remember Me disabled: Session expires when browser closes

Session Configuration

Development

# settings.py (Development)
SESSION_COOKIE_AGE = 60 * 60 * 24 * 30  # 30 days (for Remember Me)
SESSION_EXPIRE_AT_BROWSER_CLOSE = True  # Default behavior

Production

# settings.py (Production)
SESSION_COOKIE_AGE = 60 * 60 * 24 * 30  # 30 days
SESSION_EXPIRE_AT_BROWSER_CLOSE = False  # Allow Remember Me
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SAMESITE = 'Lax'

Checking Remember Me Status

In Views

from sva_oauth_client.utils import is_authenticated

def my_view(request):
    is_remembered = request.session.get('sva_remember_me', False)
    
    if is_remembered:
        # User chose to be remembered
        pass

In Templates

{% if request.session.sva_remember_me %}
    <p>You are remembered for 30 days</p>
{% endif %}

Custom Implementation

Manual Remember Me

If you need custom Remember Me logic:

from datetime import timedelta

def custom_login(request):
    """Custom login with Remember Me"""
    if request.method == 'POST':
        remember_me = request.POST.get('remember_me') == 'true'
        
        # Store preference
        request.session['sva_remember_me'] = remember_me
        
        # Set session expiry
        if remember_me:
            request.session.set_expiry(timedelta(days=30))
        else:
            request.session.set_expiry(0)  # Browser session
        
        # Continue with OAuth flow
        return redirect('sva_oauth_client:login')

Security Considerations

Session Security

  • Sessions are stored server-side
  • HttpOnly cookies prevent JavaScript access
  • Secure cookies in production (HTTPS)
  • SameSite protection prevents CSRF

Token Expiration

Remember Me affects session expiry, not token expiry:

  • Access tokens still expire in 1 hour
  • Refresh tokens still expire in 30 days
  • Data tokens still expire in 5 minutes
  • Middleware automatically refreshes tokens

Best Practices

  1. Use secure cookies - In production with HTTPS
  2. HttpOnly cookies - Prevent XSS attacks
  3. SameSite protection - Prevent CSRF attacks
  4. Monitor sessions - Watch for suspicious activity
  5. Clear on logout - Remove Remember Me preference

Extending Session

Programmatically Extend

from datetime import timedelta

def extend_session(request):
    """Extend session expiry"""
    if is_authenticated(request.session):
        request.session.set_expiry(timedelta(days=30))
        request.session.modified = True
        return JsonResponse({'status': 'extended'})

Disabling Remember Me

Clear Preference

from sva_oauth_client.utils import clear_oauth_session

def disable_remember_me(request):
    """Disable Remember Me"""
    if 'sva_remember_me' in request.session:
        del request.session['sva_remember_me']
    request.session.set_expiry(0)  # Browser session
    request.session.modified = True

Testing

Test Remember Me

# tests.py
from django.test import TestCase, Client

class RememberMeTestCase(TestCase):
    def test_remember_me_enabled(self):
        """Test Remember Me functionality"""
        client = Client()
        response = client.post('/oauth/login/', {
            'remember_me': 'true'
        })
        # Check session expiry
        self.assertEqual(client.session.get_expiry_age(), 60 * 60 * 24 * 30)

Best Practices

  1. User choice - Let users decide
  2. Clear messaging - Explain what Remember Me does
  3. Secure storage - Use secure session cookies
  4. Monitor usage - Track Remember Me usage
  5. Easy logout - Make it easy to disable

Next Steps