8

I am trying to figure out how to implement "Remember me" into an app that I am working on. Currently my implementation looks like this.

  1. User Signs in and requests to be remembered
  2. Server validates user with email/password
  3. If validation is successful, I generate a JSON web token using the user's email and a secret key stored on the server.
  4. The token is then sent as a cookie back to the client. But at the same time the token is hashed using bcrypt and store in the user's information in the database.
  5. Now, when the user visits the page later, the cookie is sent to the server when the page is loaded and validated against the stored hash in the database.

To me this "seems" secure because the token essentially becomes the user's password and treated accordingly on the server side. However, I'm not sure if this is actually secure or if there is something I am missing.

Matt Gilene
  • 93
  • 1
  • 1
  • 4
  • One problem I see is that someone could copy the cookie value to another computer and log in as that user. To solve this, you could use something secret about the user in the encryption algorithm-- perhaps their password? – Feathercrown Feb 14 '18 at 17:26

1 Answers1

3

Instead of cookies you can use HTML5 Web Storage API. It is much more secure and is supported by all the modern browsers(IE8+).

LocalStorage is a nice interface around Web Storage API. It is a form of client persistent storage without any expiry(until the user clears it) or the developer does it from JavaScript.

You can further study this answer difference between Cookie and LocalStorage.

Minato
  • 4,383
  • 1
  • 22
  • 28
  • 1
    Neither option is secure. An HttpOnly cookie would be a way of doing so. No JS will have access to it (malware and browser extensions) But admins of the laptop and the user will have access to it. – Juan Carrey Oct 11 '20 at 16:41
  • @JuanCarrey `HttpOnly Cookie` is also a completely valid solution, but it has a couple of problems, first being the CORS and the other being the `CSRF`. You can't go cross origin unless you have `HttpProxy` set up and to avoid CSRF you need to put an `anti-CSRF` strategy in place. – Minato Oct 12 '20 at 11:00
  • @JuanCarrey so the solution I mentioned is one of the possible solutions, though you'd still need to take `XSS` into consideration. But webstorage is much secure `OOB`. And for `HTTPOnly cookie` you need to have the backend that supports it as wel. – Minato Oct 12 '20 at 11:11