Tuesday, April 3, 2012

Best ways of implimenting “Remember Me” for your website


Taken from :  this and this

When the user successfully logs in with Remember Me checked, a
 login cookie is issued in addition to the standard session management cookie.You could use this strategy described here as best practice:
  1. The login cookie contains the user's username, a series identifier, and a token. The series and token are unguessable random numbers from a suitably large space. All three are stored together in a database table.
  2. When a non-logged-in user visits the site and presents a login cookie, the username, series, and token are looked up in the database.
    1. If the triplet is present, the user is considered authenticated. The used token is removedfrom the database. A new token is generated, stored in database with the username and the same series identifier, and a new login cookie containing all three is issued to the user.
    2. If the username and series are present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.
    3. If the username and series are not present, the login cookie is ignored.
Investigating persistent sessions myself I have found that it's simply not worth the security risk. Use it if you absolutely have to, but you should consider such a session only weakly authenticated and force a new login for anything that could be of value to an attacker.
The reason being of course that your cookies containing you persistent session are so easily stolen.
4 ways to steal you cookies (from a comment by Jens Roland on the page splattne based his answer on):
  1. By intercepting it over an unsecure line (packet sniffing / session hijacking)
  2. By directly accessing the user's browser (via either malware or physical access to the box)
  3. By reading it from the server database (probably SQL Injection, but could be anything)
  4. By an XSS hack (or similar client-side exploit)

1. When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.[2]
2. The login cookie contains the user's username and a random number (the "token" from here on) from a suitably large space. The username and token are stored as a pair in a database table.
3. When a non-logged-in user visits the site and presents a login cookie, the username and token are looked up in the database.
1. If the pair is present, the user is considered authenticated. The used token is removed from the database. A new token is generated, stored in database with the username, and issued to the user via a new login cookie.
2. If the pair is not present, the login cookie is ignored.
4. Users that are only authenticated via this mechanism are not permitted to access certain protected information or functions such as changing a password, viewing personally identifying information, or spending money. To perform those operations, the user must first successfully submit a normal username/password login form.
5. Since this approach allows the user to have multiple remembered logins from different browsers or computers, a mechanism is provided for the user to erase all remembered logins in a single operation.

No comments:

Post a Comment

Thank you for Commenting Will reply soon ......

Featured Posts

#Intel #Core #i9 #Processors: A Breakdown

Intel Core i9 Processors: A Breakdown Intel's 14th Gen Core i9 series offers a range of processors designed for various use cases. Her...