Although "login" is a simple process to enter into a website's session logined pages.
User simply enter correct username as well as password and login successfully.
But today era login process may contain much more than a simple process.
Followings are some key considerations after creating a simple login process.
- Remember me point.
- Forgot password point.
- Keeping login duration .
- Mobile OTP based login.
- Session setting for all secured pages.
1. Remember me point. "Remember me" functioning in login module gives better experience. But at other side it may breach the security somehow. If you are working with money related things than you are suggested to not consider this function in login module.
This is because when we are adding this functioning , we are storing credentials (username and passwords) inside the browser's cookies. Any other person may get the copy of credentials from your browser's cookies.
It is a best practice to enforce the user for credentials each time he/she visit login enabled pages.
But most of the case we add remember me functioning for ease of web user.
2. Forgot password point. There are a lot of ways to implement this function. You can send password to registered email id. You can also send password to mobile number associated with that account. Or you may give user create new password link in mail or in text message.
Imagine a case , if someone hacked email id then he will steal credentials from there. So do not give access instantly . Bound the new password from time. It means user will get sms or mail after 3 hours or after 24hours .
Developer may use hint feature to get old password. During registration user gave the hint of password. By using hint question he can get old password. Hint options should be difficult for any web user.
3. Keep login duration: This is very good practice to record login duration of all website user. By keeping login detail we can sort out a lot of things if something goes wrong by hackers. This is very easy to implement . First thing is to enter time in database when logined. Second is send heart beat(an ajax request) from each login enabled pages. Overwrite each heart beat by latest one. By doing so you may access last heart beat. By taking difference between both we will get total time spent by website user on that website.
4.Mobile OTP based login: This feature gives security on your mobile. User will always get an otp and after putting this opt he/she will access login enable pages of website.
5.Session setting for all secured pages. After a successful login a web user comes in session. Keep in mind that after login all login enabled pages will check whether a request is in session or not.
1. Remember me point. "Remember me" functioning in login module gives better experience. But at other side it may breach the security somehow. If you are working with money related things than you are suggested to not consider this function in login module.
This is because when we are adding this functioning , we are storing credentials (username and passwords) inside the browser's cookies. Any other person may get the copy of credentials from your browser's cookies.
It is a best practice to enforce the user for credentials each time he/she visit login enabled pages.
But most of the case we add remember me functioning for ease of web user.
2. Forgot password point. There are a lot of ways to implement this function. You can send password to registered email id. You can also send password to mobile number associated with that account. Or you may give user create new password link in mail or in text message.
Imagine a case , if someone hacked email id then he will steal credentials from there. So do not give access instantly . Bound the new password from time. It means user will get sms or mail after 3 hours or after 24hours .
Developer may use hint feature to get old password. During registration user gave the hint of password. By using hint question he can get old password. Hint options should be difficult for any web user.
3. Keep login duration: This is very good practice to record login duration of all website user. By keeping login detail we can sort out a lot of things if something goes wrong by hackers. This is very easy to implement . First thing is to enter time in database when logined. Second is send heart beat(an ajax request) from each login enabled pages. Overwrite each heart beat by latest one. By doing so you may access last heart beat. By taking difference between both we will get total time spent by website user on that website.
4.Mobile OTP based login: This feature gives security on your mobile. User will always get an otp and after putting this opt he/she will access login enable pages of website.
5.Session setting for all secured pages. After a successful login a web user comes in session. Keep in mind that after login all login enabled pages will check whether a request is in session or not.
Comments