What are the differences between “Remember me” and "Stay signed in" functionality?
For my understanding:
We store password and username without login.
User clicks the login button and is logged in.
"Stay Signed in"
We store password and username with login.
Please tell me which one we prefer for the website and their exact meaning.
Do you have references or arguments for these two to be different things? In my understanding this could easily be different words for the same thing.
I agree with dauer, **MAYBE** in the past SOMEONE stored somewhere user name and password but nowadays NO SANE ONE will ever do such a thing and they express exactly the same thing (keep a login token). Any obscure implementation detail (session storage vs cookie vs local storage vs whatever) are exactly that: obscure implementation details (definitely not bubbled up to UI). And even disable "autosave credentials" feature in the browser is reliable enough to be used in any website .
To make the question clearer, perhaps you should include in the question the type of website (i.e. your users) and which option (i.e. feature rather than the label) you were thinking of implementing and maybe you'll get responses from people who have implemented the functionality with one or the other phrase.
"Remember Me" is typically used to remember the email address/user name of the user that logs in, so they only need to enter their password on subsequent visits. Contrary to other answers, I would say that the password is almost certainly not remembered as a matter of practice. Alternative forms of this are "remember my email" or "remember user name", which makes it clear that they will need to enter their password again. This function is usually (more or less) safe on a public device; while it shows the user name, the person would need to also know the password to access a given account.
The most common form of "Remember Me" seems to go something like this:
Welcome back, "user name here." Please enter your password to continue.
Of course, this isn't universal, and some systems do store the actual password and/or session, but this is probably not correct; you can remember someone without automatically authenticating them.
"Stay Signed In" means just that: the user's session token is preserved with a very long expiration time and won't automatically be cleared out when the user closes their browser. This function is never safe on a public computer, and it should be made clear to the user that they're logged in indefinitely when they choose this option. It is less secure than a simple "remember me" setting, but offers convenience for users logging in from private devices.
Many web browsers will (separately) offer to remember a password for you, and automatically fill it in whenever the corresponding username is entered on the same website (originally assumed a security risk, this can in fact improve security, providing protection against phishing attacks as browser knows when it's not the real site even if the user doesn't!). The user-visible effect is as though the website had remembered both, but in fact only the username was remembered by the website (or a cookie it issued). As far as website is concerned you're still entering your password every time.
As I understand it, "Remember Me" will retain your login details making future logins simpler and quicker while "Stay Signed In" simply prevents any automated logout.
Which one you prefer depends on the level of security you wish to maintain or that is inherently present on the technology you are using. On a smartphone, for instance, the user may lock their phone with their own security measures so you don't necessarily need to worry about logging the user out - their inherent security measure effectively replace yours (to a degree). However, if the user is working at a public terminal, you should not only worry about making sure that they are logged out when they leave but also reducing the session length to minimise the amount of accounts that are accidentally left logged in without their users present.
These examples are, of course, fairly extreme and you would need to use research and judgement to decide the best measures for your situation.
I'm not sure why you think "stay signed in" is _worse_ in terms of security. For things like "stay signed in" all you need is to store a session key, which can easily be invalidated. For things like autofill password you need to store the actual account details client side, which means you make them recoverable on site. _Neither_ of these are a good option for public spaces, but keeping a session around for a short while is _slightly_ less dangerous.
This doesn't answer the question asked. You've discussed the benefits and problems that are common to both approaches, but not the differences between the two methods.
@Cubic thanks for that - I stand corrected but the point I made is still valid: OP needs to research and test to find out which solution is best in their case
@thelem My answer is that (as with a ridiculous number of things in UX) OP needs to research and test to find out which solution is best in their case - The show this I outlined the issues and then said "you would need to use research and judgement to decide the best measures for your situation"
I think if you could provide examples of sites that implement the feature with the said phrases it would make a more complete answer. I don't see any issues with people coming up with similar responses independently, and I am glad to see that it has been resolved without a need to escalate this further.
@MichaelLai the question wasn't about the phrases used but about which setup OP should used. Also, I try to avoid linking "example" sites as they change too quickly to be of any long-term use here.
"Remember me" feature is usually used to preserve the username entered by the user. Next time the user will visit the login page, the form can be populated with the info. (Update: After a better research, I read some suggestion to improve the UX for this, like changing "Remember me" with "Remember username on this computer" - https://www.sitepoint.com/3-rules-painless-account-ux-login-screens/, Do we really need a "Remember me" option on a Login page?). In this case, after you close the browser, you will be logged out and after you will open the login page, the username will be pre-filled.
"Stay Signed in" will keep the user logged for a longer period of time, even you close and reopen the page, using a cookie.
Is this how you normally see "Remember me" implemented? @phyrfox's description of the feature is what I am more familiar with.
@MichaelLai Yes, it the functionality I usually implement. phyrfox it seems to say that the password should be not pre-filled (I'm not sure, at this question, it seems all the users like to edit the answers). I don't understand what can be debatable ... In fact, these are labels to the checkboxes, that explain the info are "remembered" or the user can stay "signed in".
Even though the question was a little bit ambiguous, it has still generated a number of good answers (which I have upvoted) and gained a large number of views. I believe that between the answers and the comments contributed thus far most of the points have been covered so I think it is a good outcome don't you?
You've described the main UX difference in your question: "Remember me" will present a pre-filled login form, but with "Stay signed in" the user will be straight into their account. Displaying the login form adds an extra step for the user, but ensures they know which account they are logging into and allows them to log in to a different account if they want to. Both methods allow any user who has control of the browser to access the saved account.
There are some more subtle security differences, but exactly how they apply will depend on how your login system works.
A secure login system will try to minimise where it stores and processes the password. For example, it might ask for your username and password, then return a session ID. The application internally knows who is logged into that session and that their password has been verified, so it doesn't need to check the password on every request and the password does not need to be stored by the users browser. If you implement a "Remember me" feature then you will need to store the user's password somewhere, probably in a browser cookie. Anyone who can access that cookie can then discover your password and use it on their own computer, and can provide it when asked to verify it for sensitive operations such as changing the password.
It is also good practise to log users out of other devices when they change their password, because they may be changing their password because they know it has been compromised and they want to ensure that anyone who knew their compromised password no longer has access to their account. If the password is verified for every request then that happens automatically, but if authentication relies on the session then it should be implemented as a security feature.
Just curious as to how the user normally opt out of the 'Stayed signed in' or 'Remember me' option if they no longer want this feature. It would be interesting to see if the user's impression about the relative security of these features match with the actual technical implementation.
Both should be a checkbox on the login form, and should only be remembered as long as the session or password is remembered. When the password is automatically filled, "remember me" should be checked too. If you log in without "remember me" checked, then it should delete your password. Lots of login forms don't work that way though.