Skip to main content

login persistency(?)

hello !Friendica Support, i am wondering why i have to log in to friendica each and every time i open a browser. is this by design, and/or are there options to change that behaviour? (i can not find anything related to that)


Friendica Support reshared this.

On login you can check an option to keep logged in.
When you log in to your account, there is a "remember me" checkbox you can select. If you do so, the cookie should be stored and you should be logged in when you visit the page the next time.
haha. thanks for that superfast answer! it totally did not occur to me that this checkbox is for staying logged in instead of just storing the login name or something. thanks, and sorry for bothering you with that. but while we are at it, what exactly does the "this device is my 2fa device"-checkbox on the 2fa login change if enabled? i tried, and it seemed to not do anything. what did i miss?
also, checking "remember me" does bypass the login screen, but throws me into the 2fa screen to enter a 2fa token if the browser has ben closed since the last session. is that intended?
@Felix Bohmann I think so yes.
Basically both features are based on cookies, and web cookies are some kind of black magic I haven't been to completely master. Normally it should either ask you for both, or none, because both are based on cookies, but I can't guarantee any of it.
ok, i tried this, if i check "remember me" and "this is my 2fa device" it seems to work as intended. yet, i'd like to question wether the behaviour of throwing a 2fa login at the user while the user stated "remember me" is useful behaviour. friendica is the only web thing i know that decouples 2fa from the login that way.
You remembered the intention right!
Do you mean that you shouldn't be asked for a 2FA token if you checked the "Remember Me" box?
yes, since the 2fa is just another layer of security for the login, what good is the "remember me" function if it only remembers halfway? :)
2FA is an added security measure. As such it's pretty much independent from the mail credentials. Since it's easier to use than remember password, you may want Friendica to remember your login/password but have to supply your 2FA regularly to prevent someone to hijack your session.
ok, i get that, but the user experience is not great. maybe in the future this can be something that the user can choose in his options; wether it is linked to login or not. right now i can abuse the "this is my 2fa device" for that.
Yes, I do not like this option but it sort of makes sense. When I'm using my phone to browse Friendica, I have my 2FA app on it as well, so the security benefit to ask me for the token on this device is null because anyone with my phone can still log into my Friendica account even if it asks the 2FA token.
true. i store my 2fa stuff in a password manager, so there is a layer of security in the form of a long password infront of my 2fa tokens. but that makes it so unpleasant to type the 2fa tokens in more than necessary. i guess there is no right and wrong options here.
Yes, it's all about tradeoffs between convenience and security. 2FA mostly prevents remote logins with stolen credentials, but your mobile device security is another matter entirely.