I’ve written an add-on for a web application that inserts a “Remember Me” checkbox into login forms. One of my users expressed surprise that they are not remembered after logging out! Clearly someone who has logged out should stay logged out, and despite a specific request I will not fill the password field as that means storing the password in clear text.
My question is should the email address/username be pre-filled for a login form if a user has previously marked the “Remember Me” box?
Obviously if done on a public computer that would be effectively broadcasting their personal details to the next stranger who used that computer, but a user shouldn’t use the “Remember Me” option on public computers anyway.
What are the security considerations of doing this? Do users expect some of their details to be remembered after logging out?
Edit: It occurs to me that browsers all have a feature to remember form values and login details anyway, perhaps making this unnecessary.
“Remember me” is not the same thing as “keep me signed in.”
Many banking sites use “remember me” to save the username (but not the session) even after the user has logged out (ING Direct and Citizens Bank are a couple of examples). They usually hide part of the name for security purposes.
To make things clear for your users, you probably want to change the wording to “stay signed in” or something similar.