remember me? .htaccess authorization or forum sign in vs. e-commerce sites sign in

searain

When we use .htaccess to do the member authorization, the pop up user/password window has the feature as "remember me" for future auto log in.

For forum, yahoo, hotmail users accounts, also we have the "remember me" for the future auto log in.

But all the major e-commerce sites' accounts, such as amazon, sears, futureshop, zen-cart (no matter the account has credit card information or not), for the account log in, they all don't have "remember me" any more.

Are there any documents about this general industry practice of the e-commerce sites (not have the "remember me" feature in the e-commerce accounts log in page)?

I need some support authoritative resource to tell the clients that for the e-commerce sites' user accounts, the general practice is not have the "remember me" log in feature. E-commerce accounts are treated differently than the "free" accounts such as forum, yahoo, hotmail user accounts.

Thanks!

thorpe

your in the wrong forum looking for help. we just banter on in here. but anyway, im not sure of any docs on the subject but the reason seems simple.

if i logged into an ecommerce site and logged in (selecting remember me) then went ahead and made a purchase using my credit card, the next person using my computer could then turn up to the same site and buy something on my credit card.

of course, you could just as easily make a remember me function that still required a credit card number to be entered for each purchase, but i think thats the general gist.

searain

thanks for your reply. sorry if this issue is off the focus of this forum.

i knew there was no exactly right forum for this topic. the clients are not security alerted enough and the sales person usually tend to listen to the clients. So i tend to my fellow programmers here who I belived that care about security more than sales department to help me convince them to see how you guys do and convince clients and sales department that here, "log in every time" is a good choice.

when use "remember me", of course we will

1) first, the site will have a note to remind the users that "remember me" should be used only on secured computer in his office or home, NOT ON PUBLIC COMPUTERS.

2) second, the e-commerce accounts on our site will never save the crucial financial information, the credit card payments is through the 3rd party transaction sites such as authorizenet etc. To finish the purchase, the shoppers still have to fill out the form on authorizenet, the account information on our site is for the auto filling address and save the shopping cart, wish list etc.

But still, I would prefer not set up the "remember me" for the e-commerce sites. the end user is not "security alerted" enough to follow the advice such as only use it on secured computer in home or office.

Thanks!