10

This is a branch of another question: What is the best way to implement "remember me" for a website?

The top answer is to implement this: http://jaspan.com/improved_persistent_login_cookie_best_practice

A summary:

Use a random number as a Series Token, and another as a Login Token. Place those in the Stay Logged In cookie, along with the username. Assign a second, normal Session cookie. Each time a user arrives without a Session cookie, consume the Stay Logged In cookie. Issue a new one, this time with a new random Login Token, keeping the Series Token the same.

Why include the username? How is that helping? The Series Token should be enough to identify the user and series. The Series Token was added in this approach to prevent a DoS attack where an attacker just guesses all usernames and hits the site all at once, logging everyone out. But why does it make sense to leave the username in at all?

Community
  • 1
  • 1
Chris Moschini
  • 36,764
  • 19
  • 160
  • 190
  • 2
    AFAICT including the username does two things. Firstly it makes it harder to DoS remembered logins by sending random Series Tokens. (The DoS will only succeed if you guess a valid Series Token _and_ its paired username.) Secondly the username defends against innocent collisions between Series Tokens issued to different users. Without the username a Series Token collision would look like a theft indication. Of course if you can guarantee that every new Series Token is unique among all still-valid previously-issued Series Tokens then this is a non-issue. – ottomeister Jun 09 '12 at 07:42
  • This makes the most sense so far. In a very distributed system where checking uniqueness for Series Tokens isn't performant, I can see why you'd include either the username or, I'd prefer, a hash of the username. But if Series Tokens are unique, may as well take the username away from potential attackers. – Chris Moschini Jun 09 '12 at 19:01
  • Isn't it better to use the user ID instead of the username because of the integer vs. string lookup performance? – axelbrz Sep 08 '14 at 18:43

2 Answers2

0

The username and number are looked up as a pair on the server before issuing a new session cookie. Without the username it would be less secure (could replay using a different user if you stole the number) and harder to lookup.

Jeff Watkins
  • 6,343
  • 16
  • 19
  • 3
    1) It's not harder to lookup. The series token is a unique number, that's a cheap lookup. 2) How could it replay with a different user? They would have a different series token. Once the series token is revoked due to a failed attack, the series token is as useful as a random number. – Chris Moschini Jun 09 '12 at 01:46
0

My guess on this:

The username is for audit. If you require the client to send it together with the token for authentication, then you know which user attempts to be authenticated. Which allows you to react in some sane way to the token being wrong.

If you only ask for the token during auth, then you don't know which user actually tries it and on a match just grant someone access but can't do anything on fail. Someone can just try to blindly go over them.

With that in mind let's say we settle on using both username and token. Now if token is wrong we can remove all the other tokens for that user. But that opens up the system to DOS. Attacker can log out anyone at will. So for that series is added.

It does not have to be username, some other info that will allow to identify the user will work too.

clorz
  • 1,103
  • 3
  • 14
  • 30