0

I am implementing remember me functionality to login. I used jquery as following code but big disadvantage from that code as I mentioned below code snippet, Plaintext password storing into browser, Its not secure can any one tell me how to implement safe and secure remember me

$("#login_form").ready(function() { 
    $('#username').val($.cookie('username')).change();
    $('#password').val($.cookie('password')).change();    
    //alert($('#password').val($.cookie('password')).change());  
    $('#remember').click(function()
    {
       var username = $('#username').val();
       var password = $('#password').val();    
       // set cookies to expire in 30 days
       $.cookie('username', username, { expires: 30 });
       $.cookie('password', password, { expires: 30 });        
    });
});
Mohit S
  • 13,723
  • 6
  • 34
  • 69
sathish
  • 1
  • 5
  • you dont have password in cookie .. just keep username – NullPoiиteя Aug 10 '15 at 06:07
  • and then what to do about password how we can get to remember that – sathish Aug 10 '15 at 06:10
  • I'd do neither ( not use username or password ), and make a special table with a random key that is tied back to the user. Harder to setup but far batter design. – ArtisticPhoenix Aug 10 '15 at 06:12
  • check this http://stackoverflow.com/a/4540915/1723893 – NullPoiиteя Aug 10 '15 at 06:16
  • I think what they are trying to suggest is to generate a random string/id/variable and then keep that in session while also storing it in the database against that user. This would also mean that as soon as someone else logs in under the same account.. It would kick the first user.. In general try to avoid using the session/cookies to store any user data in general. – Angry 84 Aug 10 '15 at 06:24
  • http://stackoverflow.com/questions/1354999/keep-me-logged-in-the-best-approach – DarkBee Aug 10 '15 at 06:29
  • 1
    Do not store any version of the user's password locally. Enable the ability for passwords to be stored by browser via default browser functionality (which allows user to opt in and uses much stronger built-in browser approach). If you need to allow user to return without logging in at all, this can be done with a unique, server-generated token. But this is prone to cookie hijacking. – Anthony Aug 10 '15 at 07:09

1 Answers1

1

The way to do this is to make a random ( psudo random ) key and not expose any user information such as a password or login. You can make a easy key for this using

sha1($login.mirotime().rand(0,10000));

And a simple table to create a relationship back to the user account. If you use just the login, then I could easily create a cookie and hack your user accounts. If you expose the password, same deal. If you encrypt the password it would need to be 2 way encryption. Which is about the weakest type of encryption, and the complexity in doing that right makes it about the same effort as making a simply random key and a table to use. Not to mention you can put an expire field in the table, and / or use it for lost password resets once properly setup.

This is what I typically refer to as a passport. Another thing you can setup some brute force protection and delay attempts to guess a keys. Typically this could be done by tracking attempts and ip addresses and then delaying them after so many failed attempts ( that is a bit outside the scope of this answer though ) .

ArtisticPhoenix
  • 21,464
  • 2
  • 24
  • 38
  • " and not expose any user information such as a password or login" --- "sha1($login" – zerkms Aug 10 '15 at 06:17
  • You suggested to not use password or login-derived info on the first line, then you use `$login` on the second. It's kinda inconsistent. – zerkms Aug 10 '15 at 06:19
  • 1
    I didn't say derived, using login as part of the base of a hash simply avoids collisions. I doubt it's worth brute forcing that, assuming they could ( nearly impossible with random data ) to get a username. That's a far cry from 2 way encryption, or putting a password in a cookie. The key here is `exposed` not `derived`. – ArtisticPhoenix Aug 10 '15 at 06:20
  • can i use user_id for autologin function its safe or not . – sathish Aug 12 '15 at 06:11
  • you mean just the user id, I'd say no, it would take me like 3 seconds to make a fake cookie for that. – ArtisticPhoenix Aug 12 '15 at 06:19
  • any other alternate solution for that other than random ( psudo random ) key. – sathish Aug 12 '15 at 07:28
  • 1
    encryption, but once you make the data static then you rely just on the system, if someone figures out how you encrypt it you cant just delete a row in the database, you have to redesign how you do it. you can do encryption that's not static, like with a salt for each record but then the complexity is more. And in reality they don't need to know how you encrypt it, they just need to get hold of a cookie. If it's not static you can update it and the cookie evertime they use it. – ArtisticPhoenix Aug 12 '15 at 23:30
  • Thank you i got it, ArtisiticPhoenix. – sathish Aug 13 '15 at 05:02