0

I'm using Bcrypt as shown in https://stackoverflow.com/a/6337021/999516 to store passwords in the database and i'm trying to add the 'remember me' feature to keep users logged with cookies.

When a user logs in succesfully, i re-create the hash and update it in the DB. If the user has checked the remember option, i create a cookie with USER_ID, expiration and now i don't understand: which value must i store in the cookie? the complete char(60) hash?

Community
  • 1
  • 1
TMichel
  • 4,336
  • 9
  • 44
  • 67

1 Answers1

2

I would recommend implementing a separate "remembrance" hash to store in the cookie, with a corresponding DB table associating that hash to a specific user ID and expiry. Storing the actual user ID in the cookie is a Really Bad Idea since you have no way of verifying that they didn't just change the user ID stored in the cookie. By storing a completely separate hash in the cookie, you can easily lookup which user it belongs to in your DB table and auto-log them back in if it's valid and unmodified.

Rylab
  • 1,236
  • 7
  • 17
  • Thanks for your advice. This seems to be a reasonable way to do it. One thing that concerns me is that in order to be able to detect for a user cookie in every section on the site, can't add security access to the cookie, as i would have to set `https` in every page. Do you know any way to deal with this? – TMichel Jul 11 '12 at 10:35
  • The "remembrance" cookie I'm suggesting is different, and completely separate, from the session (where you should store the actual logged-in user). The remembrance cookie only needs to be checked when a new session starts, which should only happen from an https auth function. – Rylab Jul 11 '12 at 21:27