Are (remember me)s possible for multiple computers?

Question

The reason I ask is b.c. of this scenario:

A Remember Me cookie is stolen. It is deleted from the stolen computer and placed on the attackers computer. All the models(this one got many upvotes) I have seen would simply treat the attackers computer like the hacked computer and log the person it.

How would one prevent this? I have two ways both unsuitable.

1.) Only allow only one Remember Me Computer. 2.) Track multiple computers and have the user monitor how many computers have him / her remembered.

Is there a way to track something hard on the computer like the Ethernet MAC address perhaps?

EDIT ANSWER:

Use a MAC address. Below link provides external component for IE and Firefox. Need an external component for Safari.

SO Solution

ADDED FOR CLARIFICATION:

Not IP Addresses (hard as in something that can not change)

That's the risk of "remember me" cookies. There is no way to fully prevent this. If you think it too risky for your application, don't provide a "remember me" feature — Pekka, Feb 07 '12 at 14:20
possible duplicate of [What is the best way to implement "remember me" for a website?](http://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website) — Lawrence Cherone, Feb 07 '12 at 14:20
@Pekka...every ethernet controller (wired possibly even wireless) shipped has a unique MAC address...this would solve the problem...but you would probably need the user to install software...Web Browser companies should be given access to this...to me that would be common sense...why there is not a pull_mac_address() as a standard javascript call I can't imagine. — , Feb 07 '12 at 14:31
@Lawrence..it's not a duplicate and I already posted that link above. — , Feb 07 '12 at 14:41
@GuyMontag It’s actually pretty easy to change the MAC address. From this perspective it would be more difficult to use a specific the IP address in the Internet as generally you’ll get one assigned by your provider. — Gumbo, Feb 07 '12 at 14:57
@Gubmo - a MAC address is assigned to the PHY during manufacturing..it is a physical assignment..and each one is unique...an IP address is not a physical assignment..and is not unique..you can not change it...my guess is you could fake changing it...or make it appear to be something else..but in reality it does not change. — , Feb 09 '12 at 23:11
@HiroProtagonist it's really easy to change your MAC address, have done it many times. Just google 'change mac address' — Francisco Presencia, Jun 22 '12 at 00:57
My point was is that you are not changing the physical MAC address, you are changing the software representation of it. — , Oct 10 '12 at 15:28

score 2 · Answer 1 · answered Feb 07 '12 at 14:22

Change the cookie on every login/visit. If the computer is stolen, you log in and the cookie changes. Stolen computer has old cookie gets logged out.

If the stolen computer logs in then he/she changes the cookie. The real user gets logged out, and then has to log back in which changes the cookie again.

score 2 · Accepted Answer · answered Feb 07 '12 at 14:25

2

Save in the cookie hash of the User Agent + something else (like resolution). Maybe not very secure but better than simple cookie with remember me information and would work for people with dynamic IPs.

answered Feb 07 '12 at 14:25

giker

4,165
1
18
10

This is smart idea...I would call this computer characteristics...enough of them...and you come pretty close to a unique identifier. – Feb 07 '12 at 14:44

score 0 · Answer 3 · answered Feb 07 '12 at 14:20

0

Tie the cookie to an IP address, server side?

answered Feb 07 '12 at 14:20

Stu

15,675
4
43
74

What do you do if the user has a dynamic address? – Pekka Feb 07 '12 at 14:22
Suggestion. Should've been a comment, true. – Stu Feb 07 '12 at 14:22
1

If the user has a dynamic address, they won't be remembered. That's the price you pay. – Stu Feb 07 '12 at 14:23

score 0 · Answer 4 · answered Feb 07 '12 at 14:22

0

You can set the last remember me loged in ip into a database (or into the cookie)

$_SERVER["HTTP_CLIENT_IP"]

answered Feb 07 '12 at 14:22

Rick Hoving

3,585
3
29
49

If you have dynamic IP which most folks do this won't work very well. – thenetimp Feb 07 '12 at 14:23

score 0 · Answer 5 · answered Feb 07 '12 at 14:43

My approach to this would be a hybrid of various techniques. I'd use cookies containing information about the PC that had been logged in - Browser, Resolution, etc, as well as (by default) the IP. Obviously I could match these against the last values recorded in the database to ensure the machine with the cookie hadn't changed.

I'd then provide a method for those with dynamic IP addresses to opt-out of IP address matching for the sessions, with plenty of appropriate warnings that doing so would significantly decrease the security protecting their account, of course.

score 0 · Answer 6 · answered Feb 07 '12 at 14:44

I like to look at Windows Live Messenger in this instance, if I log into the desktop app as well as hotmail I get a notification that I'm logged into more than 1 place - it asks me if I want to log out of the other location.

What I like about this is it puts control into the users hands, what I don't like about this is an attacker can kick out a genuine user and completely hijack an account.

This whole topic to me looks like you're damned if you do and damned if you don't.

Lets just take a step back for a minute, who can be an attacker? Well anyone really - take for example your ex-husband or ex-wife who knows your usernames and passwords, he/she can easily attack your account because he/she knows all of your information to start with. You can never completely protect yourself, you change your password but he/she probably knows that too!

I ask you to look at your project and evaluate if a remember me system would actually deliver added value over any security risk it poses.

Now, the direct answers for your questions:

Generate a unique key for the user, insert it into your database and write the key to your cookie, when the cookie is sent to the server you evaluate it against the key in the database, if it is a match - bingo, you have access, if not run a logout script and destroy the cookie.
For this, each time you write a cookie store the information in your database against a user ID and status of the cookie (e.g. alive or dead), then each time you read the cookie check the status of it - if it is set to alive then simply log the event and move on but, if it is set to dead you kill the cookie and log that it was killed.

Next you can display this log information and give certain controls to the user, for example you can allow the user to set a cookie to dead then next time you read the cookie you kill it.

Working with hardware is easier said then done but it is doable. The easiest way I have found is to use a Java applet that is run locally, you can then detect hardware information and send it to your application for processing. For your average website I don't personally think it's worth it but it is doable.

Another alternative is to wrap your application in something like Adobe AIR that can detect the hardware information for you to work with.

I hope this helps you.

Are (remember me)s possible for multiple computers?

6 Answers6