tags:

views:

662

answers:

3
+3  Q: 

Securely implementing session state and 'keep me logged in' feature

I would like to improve security on a current application regarding session management and I want the users to be logged in until they explicitly logout.

How does one implement that securely?

Keep session information in database, like sessionid, ip, useragent?

Please provide the requirements, possibly a database layout, do's and don'ts, tips and tricks.

Note: I know frameworks like asp.NET, rails, codeigniter, etc... already take care of that, but this is not an option. Actually it for a classic asp application. But I think this question does not relate to a specific language.

+2  A: 

Create a cookie with a ridiculous expiry like 2030 or something. If you need session state, keep a session ID in the cookie (encrypted if security is priority) and map that to a table in a database. IP/UserAgent etc. tend to be meta-data, the cookie is the key to the session.

Program.X  2009-03-26 11:06:56
I have found no valid case for encrypting cookie data that does anything other than make a non-secure scheme (storing data on the client) slightly less non-secure. I'll happily be proven wrong if someone can come up with one.
cletus  2009-03-26 11:36:14
+1  A: 

Read Improved Persistent Login Cookie Best Practice (both the article and comments).

Gumbo  2009-03-26 11:11:25
This looks like exactly what i was looking for...
Sander Versluys  2009-03-26 11:17:24
+2  A: 

You should know that such a system cannot be secure unless you use https.

It's quite simple:

  1. User logs in.
  2. The server sends the user a cookie with an expire date far in the future.
  3. If you want, you can record the IP of the user.
  4. User requests another page.
  5. The server checks the cookie (possibly the IP stored with the cookie), sees that the user is logged in, and servers the page.

Some security considerations:

As stated above, there is no secure way unless you use https.

If you're using shared hosting, try to find out where your cookies are stored. Often they reside in the /tmp directory, where every user as access to and through that someone could possibly steal your cookies.

Track the IP, if you know that the computer isn't ever going to change it.

Don't store any information in the cookie. Just store a random number there and store the information belonging to it on the server in a database. (Not sensitive information like preferred colour can be stored in the cookie, of course.)

Georg  2009-03-26 11:16:39
what about multiple computer with the same ip?
Sander Versluys  2009-03-26 11:21:40
There isn't really anything that you can do against it, but as stated in Gumbo's post you could make it easier to detect attackers.
Georg  2009-03-26 11:30:29

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security