Normally, whenever I connect to this site, I am logged in automatically based on the credentials of my previous login. That is nice and handy and common practice.
However, the authorities of the www have decreed that life should not be made over easy on people with dishonest intentions, so from time to time one must reconfirm the credentials i.e. the combo of login and password. This is still common practice, but a lot less handy.
What displeases me is that, every couple of weeks or so, when I must confirm password and login, the previous values are not there by the default, even though I frantically click the "remember me" whenever it pops op... Always have to type email-address & password key for key, and that is not up to current www standards, to my feeling. I must admit though that I am using a configuration out of the usual:Chrome web browser on Debian Linux, which might well explain it all.
I get this too when logging on via different IPs e.g. from mobile (3G) networks.
Usually it happens with my Nokia phone.
It never happens at home (ADSL).
No idea what the rules are that decide when to force a new login. Maybe one gets this when accessing EuroGA via an ISP's proxy server?
Techy answer - the site credentials are stored in a cookie. This will send some identification information to the server when requesting a euroga page, which allows the site to recognize you. Best practice is that this cookie does NOT contain your username nor your password, but some other identifying information.
Receipt of that cookie is used to log you in.
The cookie is set to expire, at which point none of the information in the cookie will be sent. This expiry is happening on the browser end, so the server will now not recognize you at all.
The solution to this is to have a second cookie that does not expire or expires much later, which has identifying information [allowing the web site to show your user name] but does not serve as a log-in token.
This would have to be implemented by the site developer. The standard log-in mechanisms people user for their sites might or might not support it (MS ASP.net doesn't out of the box).
Whether the system accepts multiple parallel cookies from different systems, or whether it invalidates any cookies upon log-in from a different system, is again up to the site developer. However, unless it is specifically required, I believe invalidating cookies from other systems is not usual unless a single sign-on MUST be enforced.
Do you use Internet Explorer? I get the same issue, but I also lose access to a number of other sites where my passwords are stored via a cookie. Its not me deleting cookies manually, so I wondered if it is IE randomly (or not randomly) doing it?
Jan:
The "Remember Me" feature is currently set to remember you for two weeks and is applicable only to the browser in which you ticked it whilst logging in. i.e. if you log in from one browser and tick the box you'll stay logged in in that browser, but if you use the browser on your mobile and don't tick it on there then you'll be logged out at the end of that session. Once the two weeks are up, or if you didn't tick remember me, you'll be asked to login again, using your email and password. It's unrelated to IP addresses, proxies, etc.
Whether your browser fills in the Email and Password boxes for you when you go to login is nothing to do with the site; it's a function of your browser and how it's configured. Most modern browsers offer to remember email addresses and passwords and/or you can you plug-ins which offer that functionality.
Cobalt:
None of the site's cookies contain your password or email address.
The "Remember Me" feature
Is this something that applies to all browsers or with all ISP's?
Besides all of the above reasons, login credentials may be lost in the event of a browser or operating system crash, and the situation is not unique to this site. A nice way to handle the problem is an external password management utility like e.g. KeePass - as an added benefit, you get secure storage for passwords to those sites where security is really important (internet banking, etc.). It fills the login/password fields upon pressing a hotkey, or even automatically if you install a browser integration plugin (KeeFox in case of KeePass + Firefox).
you get secure storage for passwords to those sites where security is really important
Presumably you still need to control the physical access to the machine. The login credentials are highly likely to appear in the operating system swapfile, and while the app can be written to avoid that, if somebody else can get access to the machine unsupervised, they can install a keylogger, a screen capture prog (for on-screen keyboards) etc.
If someone gets physical access to your computer then pretty much all security bets are off, unless your HDD is encrypted. Likewise if someone gets logged on as an admin.
One might argue that a program to auto-fill passwords is some sort of a defence against keylogger exploits, although I personally don't trust any really sensitive information to auto-fill progs. It's too easy to leave yourself logged on.
For the truly security-conscious, Keepass enables you to encrypt your password store with multiple keys, e.g. a password and a key file, thereby making it harder for the keyloggers to gain access to the store because they would need both. And there are various iPhone apps to work with the store (via Dropbox), so you can access passwords on the move.
The "Remember Me" feature
Is this something that applies to all browsers or with all ISP's?
Yes. "Remember Me" is cookie based and therefore independent of the browser or the ISP.
The solution to the problem that others are discussing of keyloggers and screen capture spyware is two-factor authentication, where in addition to the password you need an access token, typically a six digit number which changes every 30 seconds. The software on which we're running EuroGA supports this, but let's face it, it would be ridiculous overkill for this site so I've not enabled it here.
