0

I created a remember me cookie, containing userid (encrypted and in HTTPS).

Everything works. Now I am worried that if someone copies cookie from one computer to another (other person has access to the first computer) and use the same browser it will log in as that user. How do you overcome that security hole?.

Maybe I am not understanding the mechanics well. I googled but can't find a good solution approach, everything I red points to this is a security issue.

Is there an attribute of the original machine/browser that I can use to make the cookie value? (I know I can't get MAC address from JS, may there there are other variables that I don't know about)

Ref from Previous threads: How do I prevent session hijacking by simply copy a cookie from machine to another?

Thank you

Ravi P
  • 147
  • 2
  • 6
  • Thank you. I was hoping there would be a solution. What I am thinking is if a second user has access to the first user computer for a small period of time, they can copy the cookie. How does google implement the remember me functionality? Do they have that security hole as well (sorry about my ignorance) – Ravi P Feb 10 '20 at 14:19
  • 2
    Google, Facebook etc. make heavy use of device fingerprinting. That’s how they are also able to recognize when you logged in from a “new” device that you have not logged on from before. – misorude Feb 10 '20 at 14:22
  • Thank you - This is exactly what I am looking for. I did not know to search for the keyword ("device fingerprinting") -- Thank you. – Ravi P Feb 10 '20 at 15:09

0 Answers0