8

Possible Duplicate:
What is the best way to implement “remember me” for a website?

Every user has unique 32 chars id (made of like this: md5("salt" . $username . $user_password . "salt2");). And I store this value under 'unique_id' field in table users. Is it a good way to assign this value to user's cookie and let him be logged in only if he has it assigned? And of course check it if that value exists in database?

I don't think it's a a good practise, because if someone steals your cookie, they will be able to log in to your account.

What's the other/better solution? Of course the safest thing is probably just to store it in sessions, but I want to implement this remember me feature.

Thanks.

Community
  • 1
  • 1
good_evening
  • 21,085
  • 65
  • 193
  • 298
  • 1
    I believe almost all remember me features are already vulnerable to cookie stealing. It's generally very difficult to steal a user's cookies unless you have an XSS vulnerability in your site, which is itself a pretty major hole. – mellamokb Mar 27 '12 at 13:49
  • 3
    Here's some good references http://stackoverflow.com/a/3128997/46675 – Mike B Mar 27 '12 at 13:53
  • @mellamokb Is that true? I've for some reason been picturing people hooking things up to my website and intercepting all cookies transmitted (Stupid, I know), which is why I removed my old system of storing their password in a cookie (Again a bad system, I wouldn't use that again anyway :P). Is it only XSS that it's possible through? – Ashley Davies Mar 27 '12 at 16:57
  • Unless you have a malevolent proxy or man-in-the-middle attack between the user's computer and the server, there is no real way for someone to grab another user's cookies (barring some intentional security hole such as installing an unsafe Chrome extension). The cookies transmitted over the wire are only those related to the actual server domain. In practice, you want to protect against real-life situations like a public computer being used by many users or bad choices made by the user, but in theory it should not be possible to remotely steal another user's cookies. – mellamokb Mar 27 '12 at 17:02

2 Answers2

4

Say database table's name for persistent cookie is pcookies with the following columns:

  • cookie_id (CHAR)
  • user_id (INT)
  • expiry (DATETIME)
  • salt (CHAR)

Cookie creation steps:

  1. After successful login, create a cookie record in database under an unique id. You may generate it by hash_hmac('sha512', $token, $salt) where $token=uniqid($user_id, TRUE) and $salt=md5(mt_rand()).
  2. Store 'user id', 'expiration time' and 'salt' along with the 'cookie id' in database.
  3. Store 'cookie id' and 'token' in cookie.

Authentication steps:

  1. If there is a persistent cookie found, first check whether the record is available in database or not.
  2. If the record is available then check whether the cookie expires or not.
  3. If the cookie does not expire, then validate the cookie id by $cookie_id == hash_hmac('sha512',$token_from_cookie,$salt_from_db).
  4. Once the cookie is validated, delete it from database and create a new cookie according to the above cookie creation steps.
  5. If the cookie is found as invalid, then clear the cookie from the device and delete all other cookie records of the user from database, notice the use about a theft attempt and proceed to manual login process.

Notes:

  • When session is available, ignore checking cookie.
  • After logout, clear the cookie along with the database record.
  • Never allow users to execute sensitive requests like password change or view credit card information from a persistent cookie login. Invoke password to login and add a flag in the session to allow all onward operations.
A.N.M. Saiful Islam
  • 2,118
  • 5
  • 28
  • 34
  • In this scenario what stops people using other people's cookies to get into their accounts? – Ashley Davies Mar 27 '12 at 17:00
  • 1
    In this scheme, every time the user accesses the site with an expired session, a new cookie is generated. Thus the cookie value is changing so often it will be difficult for an attacker to access the site within the correct attack window. In other words, after a successful XSS attack, the attacker would have to login within, say, 20 minutes. – mellamokb Mar 27 '12 at 17:07
  • This method is still prone to a dos attack. I could create a script that randomly guesses tokens and it'll log everyone on your site out – A Friend Dec 11 '18 at 03:59
1

These two posts provide excellent implementation guidelines for persistent login cookies:

(Read them in the given order, since the second one improves the first one.)

Sahand
  • 2,095
  • 1
  • 19
  • 24
  • About to read through these and noticed the second link is broken. I get a 403 forbidden when trying to access. – Tedious Feb 09 '21 at 05:19