Best way to store remembered recently used accounts for web application
In a web application where you have to log in, we want to implement a feature that shows recently used accounts for the device.
The login screen will display a list of the usernames of the accounts that have recently logged in via the current device. It is about the same as the Google or Facebook login.
The difference is that we always ask for a password. The feature is therefore not intended to simply click on the account and you are logged in. We always want the user to type in a password. The usefulness of the feature is that you do not have to keep typing in your username / email address, but can click on a recent account and enter your password. To identify the device, a cookie is required in all cases as far as we can imagine.
Now the question is: How will we store the details of recently used accounts? Two options we can think of:
- Store a unique identifier "token" in a cookie. Store on the server which recent accounts are associated with that cookie (i.e. device) and then display these usernames on the login page to click on.
- Store the recent accounts in the cookie, so on the device itself.
With option 1 we think of the following threats:
- If the cookie containing the token is stolen, the cookie can be impersonated on any device, thus spying on another device/location to see what recent accounts are being used on the actual device the cookie was intended for.
Option 2 seems to have the greatest risk of problems, because:
- With many recent accounts, the data in the cookie could become too large (when for example also some metadata and/or "last login date" is contained).
- If a username changes, the old username is still in the cookie. Unless the cookie is updated when changing the username in the account settings.
- With option 1, the token in the cookie can be invalidated on the server, after which the cookie can no longer be used. This is not possible with option 2.
In all cases we do not want to be "smart" by using information such as IP address or screen resolution etc., because this information changes regularly, on mobile internet devices anyway and also with people who use a VPN.
How should this feature be implemented?
