After looking into our login system to add some new features, I found out that it isn't very secure. The auth cookie was the encryption of user id, stamp, version, PASSWORD IN THE RAW, and a cookie id
At least I can say I am not the one who did it like that, a previous developer did. (Yes, I know that password should be saved as a hash in the database instead of plain text. The original developer did it that way and I haven't fixed that yet.)
So I did a lot of reading about secure login and secure cookies on here and on the web. I can see how easy it is to do it not securely.
About the site
- it is an e-commerce site that also has a lot of community things(message board, gallery)
- the login page is forced HTTPS
- all the account pages and checkout are also forced HTTPS
- the current password is required to change the password or email address
Here is my plan:
Goals:
- beable to be logged in in more than one place
- need to relogin for secure parts of the store, only lasts 30-60 min, cookie set secure only
- option to see all current logins
- option to log out in all places
backend login is secure, and lasts longer. limited login for outside of office
user gets page: no auth: have user sign in with username & pass create new token expires = https on store: 30-60 min backend in office: 5 days backend remote: 30-60 min? regular without remember me: session or 24 hours? regular with remember me: 30 days insert into user_session set cookie auth: token in db: set uid generate new token, new expires, insert into DB, remove old? upddate cookie token not in db: logout, requre sign in table user_session: uid uid_as (for being 'logged in' as another user, admin feature only) token type ip address expires stamp cookie value: token|hash(token + user id, server key)
From all that I have read, that is what I have came up with. I do feel like I am missing something though. Is there any problems with my plan or ways to make it more secure other than using HTTPS for the entire site? (it will currently cause a some problems, but I will be looking into this later)