3

After researching ways to make a secure log in form with 'remember me' functionality I've come across many conflicting views on how to make this secure. The log in system I wish to create does not need to be highly secure, but I'd like to pick a nice secure and easy method and I have two questions.

  1. What should be stored in the session variables to check a user is logged in, is this just username (or ID). If it is just the username, what happens in the case where a user finds their account has been compromised and wishes to change the password to stop the malicious user messing around with their account? If the malicious user has a session then even if the password is changed they can continued being malicious until their session expires, can this be avoided - maybe invalidate all sessions with that username on password change?

  2. Is storing a password (re-encrypted with a salt used just for cookies) and username in a (HttpOnly) cookie a decent enough way of having the 'remember me' functionality? I've heard ways where a database stores a username and a randomly generated key, and this is also put in the user cookie. Then when a user action occurs the old key is replaced with a new one and given to the user's cookie. Is this type of cookie security worth it or will the usual re-encrypted password method be sufficient?

Timm
  • 12,553
  • 4
  • 31
  • 43

2 Answers2

3

Usually if you want to remember the user, you generate a "key" and store it in the database, then set its "lifetime" (this can be anything, like 6 hours or 2 days). You store that key in the cookie (along with the userid). Now, every time the user connects to the website you compare both keys. If the key in the database has exceeded its lifetime, you generate a new key and store it in the cookie. Thus, if someone steals the cookie (somehow) he would have to use it before you connect to the website again and reset the key. This is a method I most commonly see.

MMM
  • 7,221
  • 2
  • 24
  • 42
2

  1. If the account has already been compromised, there's little, if anything, that you can do. The malicious user will likely change the account password him/herself, along with the email address, etc. Trying to account for the case where the "real" user and a malicious user are logged in at the same time is pointless, IMO.

  2. Never store any sensitive data in a cookie (HTTP-only or not).

FtDRbwLXw6
  • 27,774
  • 13
  • 70
  • 107