Best Practice to Implement Secure "Remember Me"
Asked Answered
S

1

23

Sometimes, I come across certain web development frameworks which don't provide an authentication feature, such as in Authentication ASP.NET.

I was wondering what security measures need to be considered when implementing "Remember Me" login features, by hand coding?

Here are the things I usually do:

  1. Store the user name in cookie. The user name is not encrypted.

  2. Store a secret key in a cookie. The secret key is generated using one way function based on user name. The server will verify secret key against user name, to ensure this user name is not being changed.

  3. Use HttpOnly in cookie. http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html

Anything else I have missed, which could possibly lead a security holes?

Sorrow answered 7/4, 2010 at 18:35 Comment(0)
M
18

The cookie should always be a random value that expires. There are cases where you can store the state as a cookie value and it not be a secuirty hazard, such as the users' preferred language, but this should be avoided as much as possible. Turning HttpOnlyCookies on, is a great idea.

Read A3: "Broken Authentication and Session Management" in the OWASP top 10 for 2010. One important point in this section is that https must be used for the entire session. If the session is lasting for a very long time, then this is even more important.

Also keep in mind that "Remember Me" creates a large window in which an attacker can "ride" on the session. This gives an attacker a very long time (Months?) in which he can deliver a CSRF attack. Even if you have CSRF protection an attacker can still ride on a session with XSS and XmlHttpRequest (HttpOnlyCookies will prevent a full hijack). "Remember Me" makes other threats like xss, csrf, sniffing more serious. As long as these vulnerabilities have been addressed, then you shouldn't have a problem with real world hackers.

The easiest (and secure) approach to implement a "remember me" feature would be to modify the session timeout your web.config file:

   <configuration>
        <system.web>
            <sessionState timeout="60"/>
            </sessionState>
        </system.web>
   </configuration>

Se the timeout to something high, maybe a month or so. If the "Remember Me" checkbox is unchecked then store a session variable of a more normal timeout (like 24 hours). Check this session variable in a header file for each request. If the checkbox is checked, then act normally and let asp.net take care of it.

If the session doesn't expire then it will be much easier to brute force. These values are large, but allowing a hacker to spend years trying to guess a session id is a vulnerability.

Maturity answered 7/4, 2010 at 19:27 Comment(2)
Great answer. The only thing I will add is take precautions to prevent XSS and CSRF. Both these issues become important if you have long-lived sessions.Graig
@Srim I totally agree with you. (+1)Maturity

© 2022 - 2024 — McMap. All rights reserved.