0

I am using a computer in the place as work as a web dedicate server for the application. (so sessions won't be shared)

I want to develop a secure remember me functionality and i was wondering which is the best way to do it:

  • Sessions
  • Cookies

With cookies I would have to encrypt the user password, create some salts and add some fields in the database. (as detailed here or here)

Wouldn't it be more simple using sessions in this case configuring them to last longer?

Thanks.

Community
  • 1
  • 1
Alvaro
  • 40,778
  • 30
  • 164
  • 336
  • If the sessions aren't shared it might cause errors or even lead to a security risk... Technically a hacker could get credentials of all users currently on. – cjds Dec 17 '12 at 16:57
  • Are therefor sessions not secure? Can a hacker have access to them? – Alvaro Dec 17 '12 at 16:58
  • 2
    @Steve if remember me token is held inside a cookie then threat model is tha same as for session cookies. But! Session holds memory on server side, and provides attacker a context, and it's not good. Remember me token enforces reauthentication (which can change token value for more security) plus you could track users reauthentication. And I think storing user sessions for i.e. two weeks is not the best app config decision :) Attacker could DoS your server pretty easily :) – damiankolasa Dec 17 '12 at 20:18

2 Answers2

1

Cookies.

You need to store some state on the client. The idea of "remember me" is that coming back to the same site without a session will still get you logged back in, without having a valid session established.

Cookies allow you to store state. There can be other ways to do it, but definitely not sessions.

Vitaly Osipov
  • 1,036
  • 6
  • 14
0

Cookies vs. Sessions

PROS for Sessions:

  1. Sessions might be easier to configure.
  2. Sessions would work well for a limited number of extremely TRUSTED users
  3. Cookies and Sessions have same threat model. If a hacker can decrypt a cookie he can decrypt a session

CONS

  1. If your server is attacked, the attacker gains a context. i.e. a whole bunch of tokens via which he can decrypt the data

Sessions hold memory on the server side. Also session cookies expire when the browser closes. Though this could be re-configured (if you try really hard). You basically end up re-creating the cookie in a slightly new avatar.

All in all Cookies VS Sessions for "remember me" its cookies without a doubt.

cjds
  • 8,268
  • 10
  • 49
  • 84