Is this login system secure enough?

Question

After looking into our login system to add some new features, I found out that it isn't very secure. The auth cookie was the encryption of user id, stamp, version, PASSWORD IN THE RAW, and a cookie id At least I can say I am not the one who did it like that, a previous developer did. (Yes, I know that password should be saved as a hash in the database instead of plain text. The original developer did it that way and I haven't fixed that yet.)

So I did a lot of reading about secure login and secure cookies on here and on the web. I can see how easy it is to do it not securely.

About the site

• it is an e-commerce site that also has a lot of community things(message board, gallery)
• the login page is forced HTTPS
• all the account pages and checkout are also forced HTTPS
• the current password is required to change the password or email address

Here is my plan:

Goals:

• beable to be logged in in more than one place
• need to relogin for secure parts of the store, only lasts 30-60 min, cookie set secure only
• option to see all current logins
• option to log out in all places

• backend login is secure, and lasts longer. limited login for outside of office

    user gets page:
     no auth:
      have user sign in with username & pass          
      create new token
      expires =
       https on store: 30-60 min 
       backend in office: 5 days
       backend remote: 30-60 min?
       regular without remember me: session or 24 hours?
       regular with remember me: 30 days
      insert into user_session
      set cookie
     auth:
      token in db:
       set uid
       generate new token, new expires, insert into DB, remove old?
       upddate cookie
      token not in db:
       logout, requre sign in
  
  
    table user_session:
     uid
     uid_as   (for being 'logged in' as another user, admin feature only)
     token
     type
     ip address
     expires
     stamp
  
  
    cookie value: token|hash(token + user id, server key) 
  

From all that I have read, that is what I have came up with. I do feel like I am missing something though. Is there any problems with my plan or ways to make it more secure other than using HTTPS for the entire site? (it will currently cause a some problems, but I will be looking into this later)

Answer 1

Sounds like a great step forward - your cookie value can still be hijacked by another user, especially if the user doesn't logout (destroy the db info about the session). Just something to be aware of.

If you want to support multi logins at once you'll need to consider same token for all (bad plan) or a unique token per session. In the later case you'll want to tie the session to an IP - which also cuts down on the ability to spoof the token from another computer.

For critical transactions (if there are any) you may also ask users to reconfirm their password (through HTTPS).