Secure 'Remember Me' Option

Results 1 to 2 of 2

Thread: Secure 'Remember Me' Option

  1. #1
    Join Date
    Dec 1969

    Default Secure 'Remember Me' Option

    I usually don&#039;t like &#039;Remember Me&#039; options in authentication forms if there&#039;s any kind of sensitive info involved, but a client has requested it. <BR><BR>After some thinking, I have implemented the system like this: <BR><BR>Every time a user logs into the site a record is created in the Login table. This table holds a record of the login & IP. The primary key is a replication ID, i call it the &#039;Login Token&#039;. The users Session ID is also stored. The record has an expiration_date field. If the user did not select "Remember Me" the expiration date is set to =Now(), otherwise it&#039;s set to =Now()+30 <BR><BR>When a user logs in with the Remember Me flag set, I save a cookie with 2 fields: Hash & Token. Hash is a MD5 Hash of their SessionID. Token is the Login Token. <BR><BR>At Session_OnStart i look for the cookies. If they exist, I query for the sessionID for that token, hash it, and compare. You get the drift. <BR><BR>I did it this way, w/ 2 codes instead of 1, to make it much more difficult, impossible really, to just "Guess" at a code. I used a code to begin with, rather then just save a username or email address in a cookie because I&#039;m worried about cookie tampering.<BR><BR><BR>MY QUESTION: <BR>This is all working fine and I was doing security testing and I got the idea: what if someone sniffs the 2 codes during transit in either direction? If they have the 2 codes and can simulate a cookie (easily doable) then they can auto-log themselves in w/o ever having to worry about a password. I know I can use SSL when I&#039;m setting the cookies, but not when the user returns to the site and I check him that one time to see if he&#039;s a return, auto-login user. Automatically transfering everyone at session_OnStart to a secure server to do the check, then redirect non-logins back to the main page on the std server is noticably slow and just not acceptable. <BR><BR>Sorry for the length. I appreciate any insight you can provide..<BR><BR>Shane<BR>

  2. #2
    Join Date
    Dec 1969

    Default Using a hash or other function...

    ...only helps not having to store username/password information in the cookie on the client. As you say yourself, it doesn&#039;t help somebody intercepting the cookie information and duplicating it on their computer, because the cookie information isn&#039;t linked to the computer it is created on. If you were able to link the two, then it wouldn&#039;t matter if somebody could intercept it, because re-creating it on their machine wouldn&#039;t help, because they&#039;re on a different machine.<BR><BR>However, establishing this link is, as far as I know, impossible. Using the IP addres won&#039;t work for people who don&#039;t have a fixed IP address - and at the moment I can&#039;t think of anything else you could use.<BR><BR>At the end of the day it depends on how critical it is that the log-in process is 100% secure. If it provides access to banking information, I would *NEVER* allow a Remember Me option, even if the client asks for it. If it&#039;s providing access to a discussion forum, it may not be so important if somebody else hacks in. It depends on the situation.<BR><BR>Oliver.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts