I want my website to have a checkbox that users can click so that they will not have to log in each time they visit my website. What is the best way to implement this? I know I will need to store a cookie on their computer, but what should be in it? Is there anything I need to watch out for to keep this cookie from presenting a security hole?
+2
A:
Store their UserId and a RememberMeToken. When they login with remember me checked generate a new RememberMeToken (which invalidate any other machines which are marked are remember me).
When they return look them up by the remember me token and make sure the UserId matches.
jonnii
2008-10-28 21:14:25
+1
A:
I would store a user ID and a token. When the user comes back to the site compare those two pieces of information against something persistent like a DB entry.
As for security, just don't put anything in there that will allow someone to modify the cookie to gain extra benefits. For example, don't store their user groups there or their password. Anything that can be modified that would circumvent your security should not be stored in the cookie.
dragonmantank
2008-10-28 21:17:53
+21
A:
Improved Persistent Login Cookie Best Practice
You could use this strategy described here as best practice:
- When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.
- The login cookie contains the user's username, a series identifier, and a token. The series and token are unguessable random numbers from a suitably large space. All three are stored together in a database table.
- When a non-logged-in user visits the site and presents a login cookie, the username, series, and token are looked up in the database.
- If the triplet is present, the user is considered authenticated. The used token is removed from the database. A new token is generated, stored in database with the username and the same series identifier, and a new login cookie containing all three is issued to the user.
- If the username and series are present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.
- If the username and series are not present, the login cookie is ignored.
splattne
2008-10-28 21:20:49
see also:http://stackoverflow.com/questions/549/the-definitive-guide-to-website-authentication-beta#477579 you should NOT read the 'improved' version
Jacco
2009-03-05 11:56:44
The problem with this is that you expose the username in the cookie, though this is what Gmail does. Why do you need both a series ID and a token? Wouldn't a bigger token be fine?
Yar
2009-07-02 15:16:30
@yar: no it wouldn't be fine and the article describes why
cherouvim
2010-04-14 13:17:17
@cherouvim, thanks for that. Why?
Yar
2010-04-14 22:23:54
@yar: the article describes in detail. the series is being used to mitigate the results of a cookie theft.
cherouvim
2010-04-15 07:06:39
Also make sure that changing the user's password or password recovery information requires the original password. If the cookie is compromised, the attacker cannot prevent the original owner from accessing the account.
Exception
2010-08-25 03:43:04
can anyone explain when will the series identifier change? if never, then storing the username encrypted and the token will suffice?
altvali
2010-10-31 00:19:41
+3
A:
Investigating persistent sessions myself I have found that it's simply not worth the security risk. Use it if you absolutely have to, but you should consider such a session only weakly authenticated and force a new login for anything that could be of value to an attacker.
The reason being of course that your cookies containing you persistent session are so easily stolen.
4 ways to steal you cookies (from a comment by Jens Roland on the page splattne based his answer on):
- By intercepting it over an unsecure line (packet sniffing / session hijacking)
- By directly accessing the user's browser (via either malware or physical access to the box)
- By reading it from the server database (probably SQL Injection, but could be anything)
- By an XSS hack (or similar client-side exploit)