Am I the only one confused by the new Remember Me functionality?

Karie Kelly
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 18, 2012

If you actually log out of the application (which we often are requested in terms of working with applications and having clean sessions), the message says that the Remember Me option is cleared. Why is Remember Me tied to logout?

In my experience, Remember Me means when i go to the login, my credentials are populated, but I log in. It doesn't tie to log out. I log out and when I go back to the login, it should know my credentials and allow me to click login.

This is how it used to work a few weeks bug (not a new bug); but Monday's release changed the overall logic - am I mistaken or is this the behavior typically experienced by others using Remember Me logic?

2 answers

1 vote
Norman Abramovitz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 18, 2012

There are two ways to look at the remember my login. One way is the way you thought about it related to the login.

The other way it is tied to the logout. Your encrypted credentials are remembered if you close the browser. When you reopen the browser, those encrypted credentials are used again. When you logout, you are stating explicitly you want your encrypted credentials removed.

If it is only tied to the login, it is alittle harder to get your encrypted credentials removed. In that case you need to clear your cookie cache or have some other functionality built into the application.

if you tie the remember me to login , then when someone else uses your account, they will not be prompted to login, even if you logged out.

So, it is slightly more secure having the remember me tied to logout than login since the next person will be prompted to login if you did logout.

0 votes
Felipe Cuozzo
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 18, 2012

The Remember Me feature in OnDemand means that you don't need to login (see the login form) everytime your Application Session times out, so it will allow the system to 'know' that your browser is already authenticated after you turn off your machine and come back after a weekend for example.

When you log out it will clear all Remember Me cookies on the server, so even if you have a cookie on your browser it will fail to a authenticate and ask again for your credentials.

Please don't confuse this feature with the 'Save Credentials/Passwords' that is offered by your browser, as that will store the credentials only on the client side, avoiding you having to remember the actual credentials everytime.

We have a bug that is going to be fixed next Monday that makes the 'Remember Me' function to misbehave when the user is using a mobile device that changes it's IP address over time, so you end up beeing logged off everytime a IP address change happens.

As a last note this feature should not be used in public/shared computers as it would allow someone to impersonated your account.

Norman Abramovitz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 18, 2012

Actually, I see what you are calling a bug (remember me per ip address) is a good security feature verses a bug especially for mobile devices. Yes, you should be able override this behavior or be able to configure legal domains (plural is important) that will not be challenged. As an example of this type of behavior is Bank of America challenges a login if it came from a different ip address (ie it was not seen before). It really depends if your requirement is for security or convenience.

Karie Kelly
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 3, 2012

I'm going to close the ticket as I still think it's confusing. I've gone to several other hosted applications and remember me is used to remember your credentials and password. You still login, but it helps to remember the credentials. And, most have this as a default and you check a box if you don't want your credentials remembered. And logoff is just that -- it ends your session -- it doesn't reset how you want your login preferences to be set -- those are done at login.

The goal is to still have a login, but have one click to access vs typing in your username and password.

And, since that was my experience with many other hosted applications, including many that you probably use as well (just go look at your email if you use an email service), Quickbooks, online banking, brokerage accounts, etc. I would have expected OnDemand to work as most others to provide that consistency that users have come to expect.

So, I just have to explain to my users that Atlassian doesn't work the same way. It's different. But, it's frustrating that, although there is no 'standard', that the PMs don't consider how most other apps behave to make it less confusing.

Suggest an answer

Log in or Sign up to answer