13

I want to save user's authentication information in browser cookie for persistent login. As they say, its never safe to store any secret info (such as password) in cookie, but in order to have an option such as 'Remember Password', i think there is no any other choice.

So, if a user want to remember his login info, and if i store username (Email) + Not the password, but some other unique info, such as HASHED DB ID in the cookie. Then i should check if the hashed ID stored in cookie matches with user's email which is stored in Cookie. As I think anyone can very easily see the cookies stored in Browser (for example in Firefox, Options -> Cookies ).

So would this be as weak as for someone to read the cookie from the computer where its saved, then on other computer set cookie with that information and he would be logged in? (As the script will check the stored email and hashed id with database and it will match)?

Could this approach be bit improved without storing other information in database (such as session id etc) ? Thanks

Roman
  • 3,764
  • 21
  • 52
  • 71
  • 1
    One approach you might want to consider is simply storing the user's ID in the cookie, but also having a non-persistent authenticated cookie. A user with an ID cookie but no authenticated cookie can browse your system but will be prompted for a password the first time they try to make a change. If the password is correct then the authenticated cookie is set and the user won't be asked again. As the cookie is non-persistent the authentication will only last until the end of the session. – GordonM Jun 14 '11 at 08:04
  • @GordonM, Thanks, I think amazon.com has same approach. I'm interested to know that if you access the cookie, lets say email + and some hashed info, how hard it will be for you to you to set those cookies in your browser? – Roman Jun 14 '11 at 08:15
  • I'd be storing very little in the cookies at all. The persistent ID cookie would just use the ID of the user in question, and the non-persistent auth cookie would either be true or false. Try to avoid storing more in a cookie than is absolutely necessary to accomplish a task, as if you send just an ID that's all a snooping hacker has to go on, whereas if you send additional info that might give the hacker more clues as to how to attack your system. – GordonM Jun 14 '11 at 10:49

7 Answers7

15

There is another option.

For each user, upon logging in and requesting to be remembered, create a long random string.

Store this string, along with the userId, in the cookie you give to the user.
Store a properly salted hash of the string in your db.

If the user presents a remember-me cookie, match the random string to the hashed verifier you have in your database (just as if it where a password).

If it matches -> log the user in and create a new remember-me cookie for them.
If doen't match -> request username and password.

Jacco
  • 23,534
  • 17
  • 88
  • 105
2

I wrote an answer to the same question in How to improve my user login scheme - have a look there.

Community
  • 1
  • 1
cweiske
  • 30,033
  • 14
  • 133
  • 194
1

I would suggest using an unique key on the server to encrypt the username (in this case, email) and store it in the auth cookie. If the cookie is tampered it will fail to be decrpted and result in login failure.

If an auth cookie is copied (by manually setting the cookie or by XSS) to another computer (or another browser), then the user would be logged in as well on the new computer. You could consider adding some unique information about the computer (such as IP address) to reduce such risk.

This is an explaination about auth cookies in .NET, but I think the concept works on php as well: http://support.microsoft.com/kb/910443

Jim
  • 1,695
  • 2
  • 23
  • 42
1

There is a good article on how to make "remember me" cookies more secure.

I have implemented the method described in the article in a PHP library: https://github.com/gbirke/rememberme, maybe you can use that as a reference.

Session fixation and cookie stealing is a real problem in the age of Firesheep. The only defense against that is securing your site with SSL and monitoring for XSS flaws.

Another way to improve your security is to remember if a user logged in with a "remember me" cookie and force him to reauthenticate when he does something "dangerous" like ordering or changing login credentials.

For more resources, see this Question: The definitive guide to form-based website authentication

Uwe Keim
  • 39,551
  • 56
  • 175
  • 291
chiborg
  • 26,978
  • 14
  • 97
  • 115
  • 1
    Unfortunately, improvements proposed in the first linked article are not improving anything. they where written in reaction to: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/ but sadly they are wrong. – Jacco Jun 14 '11 at 09:28
  • There is not enough space in the comment box to explain in detail. Some discussion about it is below the fishbowl article, as well as in the comments to [The Definitive Guide To Website Authentication](http://stackoverflow.com/questions/549/the-definitive-guide-to-website-authentication/477579#477579). – Jacco Jun 14 '11 at 10:15
0

you don't have so much of a choice when it comes to store user info on client side...

You can try to make some encryption using the client IP as the key. This way even if the cookie is copied to the hacker computer and if he doesn't notice that the IP is the key of the encryption you'll have some descent protection of user's info.

Facebook is doing something this way, proof is everytime you try to log in from another connection point you have to go throught the user verification system...

So look for some reversible encryption and this should make your day ;)

MaxouMask
  • 985
  • 1
  • 12
  • 33
0

You could also install a cookie with a UserID and a SessionID with a expire timestamp. Then if you bind the cookie to IP or hostname (or preferrably both) you're quite safe from cookie stealers and other stuff.

Sander
  • 1,402
  • 2
  • 21
  • 44
0

i think there is no any other choice

Think again.

You don't need to store the password clientside in order to maintain a session. The 'remember me' operation is just the same - use a random value which is a lookup key to data held on your server.

Short of using client side certificates with pass phrases, anything else you do to complicate things will not improve security, and is more likely to expose your customer's private data.

symcbean
  • 47,736
  • 6
  • 59
  • 94