views:

407

answers:

3

If a user logs into the site, and says 'remember me', we get the unique identifier for the user, encrypt this with RijndaelManaged with a keysize of 256 and place this in a httponly cookie with a set expiration of say.. 120 days, the expiration is refreshed each successful request to the server.

Optionally we generate the initialization vector based upon the user agent and part of the ipv4 address (the last two octets).

Obviously theres no real expiration system built into this, the user could technically use this encrypted key forever (given we don't change the server side key)..

I considered the fact that to allow this feature I need to allow the user to be able to bypass the login and give me their unique id (which is a guid), I figured the guid alone was really hard to guess a real users guid, but would leave the site open to attack by botnots generating guids (I've no idea how realistic it is for them to find a legit guid).. so this is why theres encryption where the server knows the encryption key, and optionally the iv is specific to the browser and ip part.

Should I be considering a different approach where the server issues tickets associated to a user, and these tickets would have a known expiration date so the server stays in control of expiration? should I really care about expiration? remember me is remember me after all?

Looking forward to being humbled ;), Cheers.

A: 

Did you consider something like Open Id? As SO uses.

Josh
Hi Josh, actually the site may use openid in the future, but remember me functionality still needs to remember who you claim to be according to our database of users.
meandmycode
A: 

How important is the information that is being remembered? If it's not going to be anything very personal or important, just put a GUID in the cookie.

Including the IP address in the calculation is probably a bad idea, as it would make users using public networks be instantly forgotten.

Using brute force to find GUIDs is ridiculous, as there are 2128 possibilities.

sysrqb
Address details potential and order history, also yes the ip thing is optional given the proxy issues with some networks.
meandmycode
+3  A: 

Very similar question.

The solution to your question is in this blog post

"Persistent Login Cookie Best Practice," describes a relatively secure approach to implementing the familiar "Remember Me" option for web sites. In this article, I propose an improvement that retains all the benefits of that approach but also makes it possible to detect when a persistent login cookie has been stolen and used by an attacker.

As Jacco says in the comments: for in depth info about secure authentication read The Definitive Guide To Website Authentication.

Sander Versluys
Super, I should have searched better ;) cheers.
meandmycode
You should read the original post: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/.
Jacco
The 'improved' version does not offer any improvements. See also: http://stackoverflow.com/questions/549/the-definitive-guide-to-website-authentication-beta#477579 There is also an explanation of the issue somewhere down in the comments on the 'improved' version.
Jacco
@jacco thanks! strangely enough, i was not aware of that question.
Sander Versluys