Today we’re announcing the addition of a Remember me feature to LoginRocket.

In our implementation, users may select to have their email or username remembered for future logins. Remembered emails/usernames are stored entirely client-side and prepopulated on the next visit to the login form. This does not remember passwords or otherwise affect the configured session lifetimes.

Since this may not be wanted for all apps, it is an opt-in feature and may be found at Settings -> LoginRocket -> Other features -> Logins.

We’ve also enabled the same for logins to Cosmic’s management portal.

It’s been a while since we’ve added an entirely new event type within AuthRocket, but today is that day. We’re pleased to make available the new session.deleted event.

As you might guess from the name, session.deleted is sent when a Session is deleted before its expiration time. Since Sessions and JWTs already include an expiration time, session.deleted is not sent upon or after Session expiry.

This greatly improves the ability to cache sessions as now a webhook for session.deleted can be used to prematurely expire the cached copy.

Similarly, for apps relying solely on issued JWTs, this new webhook can be used to populate the app’s list of invalidated sessions. To help maintain such a list, the webhook payload will include the original expiration time. This bridges the gap until the session would have expired anyway.

Related, session.deleted is now triggered for all outstanding sessions upon a successful password reset or administrative password change.

Finally, sessions may now be optionally deleted upon a user-initiated password change with the new keep_sessions argument. The default value is all which preserves existing API behavior. LoginRocket now deletes all sessions except the one being used to perform the password change.