1

I want to implement a simple remember me for logged in users, so they will stay logged in after closing the browser. So I was thinking creating a cookie that holds a unique key generated by UUID.randomUUID, and on the server side I map it to a username.

Is that secure enough? What are the risks? Should I take precautions to prevent hackers from trying random keys?

I was thinking about using a framework for authentication like spring security or apache shiro, but I couldn't find any benefit that they give me (I don't need complex access control, just user registration/login). Am I missing something crucial in terms of security?

update

I guess my question is actually: do frameworks like spring and shiro do something substantially more sophisticated for remember me functionality that produce security that I probably can't match?

Moshe Shaham
  • 15,448
  • 22
  • 74
  • 114
  • Secure enough? Depends on for what. Nothing important should be handled like that. Hackers can and will try random keys - or worse, do a man-in-the-middle attack and read your session id by eavesdropping on the wire. – CPerkins Apr 16 '13 at 20:18
  • You'd be vulnerable to replay attacks, for one. Anything short of issuing client certificates is really kind of fuzzy in terms of security. For information about replay attacks, see http://en.wikipedia.org/wiki/Replay_attack –  Apr 16 '13 at 20:19
  • See [The definitive guide to forms based website authentication](http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication). – Paul Vargas Apr 16 '13 at 20:20
  • Everything is insecure when sent via http. Most sites live with this reality. As for using a uuid, I would think that is more predictable than something like sha1(username . uuid); The thing about cookies that make them especially problematic is that they are sent in every client request. – gview Apr 16 '13 at 20:25

2 Answers2

1

Spring security provides declarative security. I assume that you are using spring framework for you application. Spring security and Spring framework in general provides the flexibility which you will not realize until the moment it is required. I have been in situations where I was thankful of Spring where unforeseen customization were needed.

Spring security allows you to plugin authentication model easily- DB based, LDAP based etc. It provides a default login page if you want to use one, provides redirection to login page based on the URL accessed and allow the user to continue to the URL once authentication is complete and many more things, which reduce the amount of boiler plate code to be written. It also provides an implementation of Remember Me. http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html. But, security implications need to be considered in detail.

Spring security itself will not provide a better implementation for remember me. But, I think it could be considered for other advantages it provides.

Krishna
  • 1,871
  • 14
  • 26
0

Lets start with the answer on "How remember me functionality works?". Both spring-security and shiro has similar remember me service implementation. They save encrypted subject in cookie and then authenticate user from this cookie. It means that server sends response to the client with the header Set-Cookie:<character sequence> and then client sends request with the header Cookie:<character sequence>.

Now lets imagine that we want to sign in to someones account:

  1. We can just use victim's computer. (so never perform highly-sensitive operations if user is authenticated with remember me service). This can also be applied to username-password authentication when session is not finished(browser is open) and victim goes to lunch.
  2. We can analyze http traffic to retrieve Cookie headers and then sign in using this header. (so you can use https to prevent traffic analysis). This can also be applied to username-password authentication.
  3. We can try random keys (you can use some brute-force filter in conjunction with some complex subject encoding algorithm). This can also be applied to username-password authentication.

Conclusion: Never perform highly-sensitive operations if user is authenticated with remember me service. Use https if you need. Use brute-force defence. Think about encryption.

sody
  • 3,731
  • 1
  • 23
  • 28