8

I would like to improve security on a current application regarding session management and I want the users to be logged in until they explicitly logout.

How does one implement that securely?

Keep session information in database, like sessionid, ip, useragent?

Please provide the requirements, possibly a database layout, do's and don'ts, tips and tricks.

Note: I know frameworks like asp.NET, rails, codeigniter, etc... already take care of that, but this is not an option. Actually it for a classic asp application. But I think this question does not relate to a specific language.

Sander Versluys
  • 72,737
  • 23
  • 84
  • 91

3 Answers3

8

Read Improved Persistent Login Cookie Best Practice (both the article and comments).

Gumbo
  • 643,351
  • 109
  • 780
  • 844
3

You should know that such a system cannot be secure unless you use https.

It's quite simple:

  1. User logs in.
  2. The server sends the user a cookie with an expire date far in the future.
  3. If you want, you can record the IP of the user.
  4. User requests another page.
  5. The server checks the cookie (possibly the IP stored with the cookie), sees that the user is logged in, and servers the page.

Some security considerations:

As stated above, there is no secure way unless you use https.

If you're using shared hosting, try to find out where your cookies are stored. Often they reside in the /tmp directory, where every user as access to and through that someone could possibly steal your cookies.

Track the IP, if you know that the computer isn't ever going to change it.

Don't store any information in the cookie. Just store a random number there and store the information belonging to it on the server in a database. (Not sensitive information like preferred colour can be stored in the cookie, of course.)

Georg Schölly
  • 124,188
  • 49
  • 220
  • 267
2

Create a cookie with a ridiculous expiry like 2030 or something. If you need session state, keep a session ID in the cookie (encrypted if security is priority) and map that to a table in a database. IP/UserAgent etc. tend to be meta-data, the cookie is the key to the session.

Program.X
  • 7,250
  • 12
  • 49
  • 83
  • I have found no valid case for encrypting cookie data that does anything other than make a non-secure scheme (storing data on the client) slightly less non-secure. I'll happily be proven wrong if someone can come up with one. – cletus Mar 26 '09 at 11:36
  • @cletus, I've seen the use of encryption in cookies for one case: user enters his credit card info + validity date, server checks all the data, encrypt credit card info + data and send a confirmation page. When page confirmation page comes back, decrypt data and process the card. In that case it is secure and the data never got saved on the backend (except in RAM), but it does not serve as a session ID of any kind... – Alexis Wilke Oct 15 '13 at 00:10