Authorio 0.8.2 Released

Authorio 0.8.2 has been released.

The main new feature in this release is Local Sessions. You can enable this in the config file, and if it’s enabled you get a “Remember Me” box you can check on the authentication form. This works like any other website you can log into. Checking the box means you don’t have to type in your password for 30 days (or however long you set the session lifetime in the config).

The difference is, while checking “Remember Me” on your bank’s login means you can stay logged in to your bank, the “Remember Me” in Authorio means you don’t have to type in your password in Authorio, which means you can authenticate yourself to any IndieAuth website without using any password. Even a site you’ve never been to before. This is quite powerful, maybe even too powerful. I’m not sure how I feel about it. On the one hand, it’s convenient not to have to type in a password over and over. That’s why people like “Remember Me” in the first place. On the other hand, since this can potentially authenticate with any number of sites, it’s a much greater security risk. If you enable Local Sessions on your laptop, then anyone who has your laptop can authenticate themselves as you to any website that uses IndieAuth.

The feature is disabled by default.

The other new feature of significance is Token Expiration. I’m not aware of any sites that use authentication tokens; I think most sites only ask for a profile (IndieAuth clients have these two options). But if they do ask for a token, there is now a configuration option that lets you set the token expiration.

Comment on this post by replying on Twitter

No webmentions were found.