Is this a reasonable way to implement 'remember me' functionality
Asked Answered
S

3

8

If a user logs into the site, and says 'remember me', we get the unique identifier for the user, encrypt this with RijndaelManaged with a keysize of 256 and place this in a httponly cookie with a set expiration of say.. 120 days, the expiration is refreshed each successful request to the server.

Optionally we generate the initialization vector based upon the user agent and part of the ipv4 address (the last two octets).

Obviously theres no real expiration system built into this, the user could technically use this encrypted key forever (given we don't change the server side key)..

I considered the fact that to allow this feature I need to allow the user to be able to bypass the login and give me their unique id (which is a guid), I figured the guid alone was really hard to guess a real users guid, but would leave the site open to attack by botnots generating guids (I've no idea how realistic it is for them to find a legit guid).. so this is why theres encryption where the server knows the encryption key, and optionally the iv is specific to the browser and ip part.

Should I be considering a different approach where the server issues tickets associated to a user, and these tickets would have a known expiration date so the server stays in control of expiration? should I really care about expiration? remember me is remember me after all?

Looking forward to being humbled ;), Cheers.

Sea answered 27/3, 2009 at 12:3 Comment(1)
possible duplicate of What is the best way to implement "remember me" for a website?Clipping
H
6

Very similar question.

The solution to your question is in this blog post

"Persistent Login Cookie Best Practice," describes a relatively secure approach to implementing the familiar "Remember Me" option for web sites. In this article, I propose an improvement that retains all the benefits of that approach but also makes it possible to detect when a persistent login cookie has been stolen and used by an attacker.

As Jacco says in the comments: for in depth info about secure authentication read The Definitive Guide To Website Authentication.

Hardan answered 27/3, 2009 at 12:26 Comment(3)
You should read the original post: fishbowl.pastiche.org/2004/01/19/….Berniecebernier
The 'improved' version does not offer any improvements. See also: #1049 There is also an explanation of the issue somewhere down in the comments on the 'improved' version.Berniecebernier
@jacco thanks! strangely enough, i was not aware of that question.Hardan
S
0

Did you consider something like Open Id? As SO uses.

Sprain answered 27/3, 2009 at 12:18 Comment(1)
Hi Josh, actually the site may use openid in the future, but remember me functionality still needs to remember who you claim to be according to our database of users.Sea
M
0

How important is the information that is being remembered? If it's not going to be anything very personal or important, just put a GUID in the cookie.

Including the IP address in the calculation is probably a bad idea, as it would make users using public networks be instantly forgotten.

Using brute force to find GUIDs is ridiculous, as there are 2128 possibilities.

Medford answered 27/3, 2009 at 12:19 Comment(1)
Address details potential and order history, also yes the ip thing is optional given the proxy issues with some networks.Sea

© 2022 - 2024 — McMap. All rights reserved.