All geek questions in one place

Storing cookie information

I want to store user authentication information in a browser cookie for permanent login. As they say, never store sensitive information (such as a password) in a cookie, but in order to have an option like "Remember password", I think there is no other choice.

So, if the user wants to remember his registration information, and if I store the username (email address) + not a password, but other unique information, such as a HASHED DB ID in a cookie. Then I have to check if the hashed identifier stored in the cookie matches the email of the user stored in the Cookie. As I think, everyone can very easily see cookies stored in the browser (for example, in Firefox, Options β†’ Cookies).

So, it would be as weak as for someone to read a cookie from a computer, where it is stored, and then set a cookie with this information on another computer, and it will be logged in? (Since the script will check the stored email and hashed id with the database, and it will match)?

Is it possible to improve this approach without storing other information in the database (for example, session identifier, etc.)? Thanks

+6
source share
7 answers

There is another option.

For each user, after logging in and asking for memorization, create a long random line.

Save this line with userId in the cookie that you pass to the user.
Store correctly salted string hash in your db.

If the user presents a cookie with a pump, match the random string with the hashed verifier that you have in your database (just like if it were here).

If it matches β†’ register the user and create a new cookie for them to remember.
If doen't match -> request username and password.

+11
source

I wrote the answer to the same question in How to improve my login scheme - look there.

+1
source

I would suggest using a unique key on the server to encrypt the username (in this case, email) and save it in the auth cookie. If the cookie is modified, it will not defragment and will result in a login error.

If the auth cookie is copied (manually setting the cookie or XSS) to another computer (or another browser), the user will also be logged on to the new computer. You may consider adding unique computer information (such as IP address) to reduce this risk.

This is an explanation of .NET cookies, but I think the concept works on php too: http://support.microsoft.com/kb/910443

0
source

you don’t have much choice when you need to store user information on the client side ...

You can try to do some encryption using the client IP address as a key. Thus, even if the cookie is copied to the hacker computer, and if he does not notice that IP is the encryption key, you will have some protection for the user change information.

Facebook does something this way, the proof is every time you try to log in from a different connection point that you have to go through the user verification system ...

So, look for some kind of reversible encryption, and this should do your day;)

0
source

There is a good article on how to make Remember Me cookies safer: http://jaspan.com/improved%5Fpersistent%5Flogin%5Fcookie%5Fbest%5Fpractice

I implemented the method described in the article in the PHP library: https://github.com/gbirke/rememberme , maybe you can use this as a link.

Session logging and cookie theft are a real concern at the age of Firesheep . The only protection against this is protecting your SSL site and monitoring the flaws of XSS.

Another way to improve your security is to remember if the user logged in with the Remember Me cookie and forced him to re-authenticate when he did something β€œdangerous”, for example, ordering or changing login credentials.

For more resources, see this question: Ultimate Form-Based Website Authentication Guide

0
source

You can also set a cookie with a UserID and a SessionID with an expiration label. Then, if you bind a cookie to an IP or hostname (or, preferably, both), you are completely safe from cookie thieves and other things.

0
source

I think there is no other choice

Think again.

To maintain a session, you do not need to store a client password. The operation "remember me" is the same - use a random value, which is the search key to the data stored on your server.

If you do not use client-side certificates with passwords, everything you do to complicate the situation will not improve security and will most likely provide your customers personal data.

0
source

Source: https://habr.com/ru/post/890472/

More articles:


All Articles