What is the best way to implement "remember me" for a website? [closed]

Asked 28/10, 2008 at 21:9 Answered 28/10, 2008 at 21:9

551

I want my website to have a checkbox that users can click so that they will not have to log in each time they visit my website. I know I will need to store a cookie on their computer to implement this, but what should be contained in that cookie?

Also, are there common mistakes to watch out for to keep this cookie from presenting a security vulnerability, which could be avoided while still giving the 'remember me' functionality?

Koroseal answered 28/10, 2008 at 21:9 Comment(4)

Check #1049 (part II of top answer) – Harlie 14/12, 2011 at 13:29

if you are using ASP.NET, check out codeproject.com/Articles/779844/Remember-Me – Slovakia 30/5, 2014 at 18:7

There is some very useful info over in Security SE ~ security.stackexchange.com/questions/19676/… – Blenheim 1/8, 2015 at 10:28

The currently accepted answer by splattne is overly complex. Create a +16 byte token from a random source, hash it, and save the hash + account id in the database. Then send the token to the user (base64 encoded) in a HTTPS + httpOnly cookie (so Javascript can't access/steal it). This way, no one can guess the token or log people out with invalid guesses, yet even if your database is hacked no one can use the tokens in the database (they are hashed). So only the original client (or someone who steals the token from the browser store somehow) can use it. – Burcham 2/1, 2020 at 22:48

577

Improved Persistent Login Cookie Best Practice

You could use this strategy described here as best practice (2006) or an updated strategy described here (2015):

When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.
The login cookie contains a series identifier and a token. The series and token are unguessable random numbers from a suitably large space. Both are stored together in a database table, the token is hashed (sha256 is fine).
When a non-logged-in user visits the site and presents a login cookie, the series identifier is looked up in the database.
1. If the series identifier is present and the hash of the token matches the hash for that series identifier, the user is considered authenticated. A new token is generated, a new hash for the token is stored over the old record, and a new login cookie is issued to the user (it's okay to re-use the series identifier).
2. If the series is present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.
3. If the username and series are not present, the login cookie is ignored.

This approach provides defense-in-depth. If someone manages to leak the database table, it does not give an attacker an open door for impersonating users.

Mcauley answered 28/10, 2008 at 21:9 Comment(45)

see also:#1049 you should NOT read the 'improved' version – Messeigneurs 5/3, 2009 at 11:56

The problem with this is that you expose the username in the cookie, though this is what Gmail does. Why do you need both a series ID and a token? Wouldn't a bigger token be fine? – Frivolous 2/7, 2009 at 15:16

@yar: no it wouldn't be fine and the article describes why – Tem 14/4, 2010 at 13:17

@yar: the article describes in detail. the series is being used to mitigate the results of a cookie theft. – Tem 15/4, 2010 at 7:6

Also make sure that changing the user's password or password recovery information requires the original password. If the cookie is compromised, the attacker cannot prevent the original owner from accessing the account. – Benison 25/8, 2010 at 3:43

can anyone explain when will the series identifier change? if never, then storing the username encrypted and the token will suffice? – Grisham 31/10, 2010 at 0:19

the whole concept of the series identifier does not make sense as it is described here. – Ideate 19/9, 2011 at 4:47

@altvali A new series identifier is issued when a valid username/password combination is presented to authenticate the user (instead of a token). This starts a new series of random tokens used to identify this particular (long) login session. – Brainwork 14/12, 2011 at 23:26

@tvanfosson...why would you need this? Just generate a new UNIQUE token...there is no reason a single user could not have mutliple tokens...one for each login....Token A, Token B, Token C...there is no need for a series identifier. – Ideate 7/2, 2012 at 14:21

Also, regarding this model, what it to prevent an attacker from stealing and than placing the cookie on his computer and deleting the cookie from the hacked computer. His computer would than be authenticated and updated as needed with out the hacked computer ever knowing? The only change would be that the hacked computers user would have to login again and set remember me. Whether or not the hacked user recognizes this would be uncertain. – Ideate 7/2, 2012 at 14:23

You would need to add in computer characteristics..for uniqueness either a MAC address or a set of other characteristics like user agent, screen resolution, etc. – Ideate 7/2, 2012 at 14:48

Isn't is more stable to use a ID instead of a username so you don't have to worry about any case sensitive and all the other problems that come with strings? – Risa 21/4, 2012 at 17:2

I've posted a question about this answer: #10958084 – Flashbulb 9/6, 2012 at 0:58

@HiroProtagonist The Series Identifier is to prevent a DoS attack. Without it, I could quickly write a script hitting your site with every username and an invalid token, logging everyone on your site out. – Flashbulb 9/6, 2012 at 1:1

Why not add a hash of the username instead? – Lewis 15/7, 2012 at 23:25

If a new token is only generated in step 3.1, which only happens for a non-logged in user, wouldn't the new token be sent with every request of a logged in user? This leaves a lot of chances for a packet to be intercepted. Could this cookie be configured to only send when not logged in? – Chirk 31/10, 2012 at 21:14

@Chirk set the path of the cookie to the path of the auto login page – Pestilential 13/11, 2012 at 15:57

I implemented this solution yesterday and I think it works well, something that isn't mentioned is how to deal with 'orphaned' authentication informationin the DB. When the user manually clears his cookie cache, the authentication info in the database is orphaned. Perhaps implementing an auto update timestamp in the table and manually removing all authentication data over a certain age would be a good idea. – Bissonnette 13/3, 2013 at 9:58

@ChrisMoschini Been awhile but I hope it's okay. Could you explain why a series identifier helps prevent Dos attack? Like HiroProtagonist, I don't see much difference between using a longer token and series identifier + token. – Beaman 8/8, 2013 at 0:53

@Beaman If you just use a long token, and destroy all sessions for a user when any invalid token arrives, I can write a script that hits your site with every username and all 0's for the token to log all users out. Run it in a loop, no one can ever meaningfully login. If a valid Series token is required however before the server acts against sessions, the DoS attack is prevented. – Flashbulb 8/8, 2013 at 5:17

@Yar the email id is included to maintain the uniqueness, since it can happen that the same token is generated for two different accounts – Corkboard 21/4, 2014 at 14:41

@ChrisMoschini: Why would they be logged out? I only see that "remembered sessions are deleted", meaning that you could effectively DoS the rememberme feature but not the whole authentication, right? – Darell 9/7, 2014 at 10:20

Improved version actually does not provide an extra level of security, only an illusion of it.As @Jens Roland claims, pretty much any attack vector that allows the user to steal the cookie also allows it to be deleted from the hacked computer. – Lofty 11/8, 2014 at 1:21

Could you provide a simpler version with only username + token just in order to understand the basics ? (Then I'll be able to add the series) – Inscription 7/10, 2014 at 23:52

If the user has a poor internet connection could this be an issue when receiving the new token? Example, user requests login with token, internet connection drops out, new token generated at server, new token not received by user, user tries again with old token, this is seen as a hack attempt and all tokens are removed from db, user now has to login again – Praseodymium 25/11, 2014 at 2:32

Chrome sends a loading request when you type the URL in the address bar. This can cause the remember me code to execute prematurely which will invalidate the token by the time the real request is executed when the user presses enter in the address bar. I didn't see an easy way around this problem except to use a static cookie that doesn't change during subsequent logins. Anyone else encounter this problem? – Dentilingual 5/2, 2015 at 5:28

This solution is WRONG, it does not handle cuncurrency: If two remember-me authentication request arrives at the same time, with the same remember-me cookie, the first one succeeds and changes the token, the second one causes an unsucceesfull authentication, and a false alarm (because the token has been already changed by the first request). (This situation can happen when the browser starts up, and the site is restored in two browser tabs.) – Papilionaceous 14/5, 2015 at 10:54

In this case, race conditions are less important than preventing replay attacks. Race condition: Have to manually log back in. Replay attack: Tokens become more desirable to steal, since they are not a nonce. – Skirl 7/6, 2015 at 19:54

Presenting a false alarm to the user is very undesirable. Whether it is because of reasons mentioned by slobo, craigrs84, or Frogga, this solution generates these false alarms routinely. – Leprous 28/10, 2015 at 5:14

This question and answer are very weird. It's not mentioned if user id should be stored on a client and sent together with series and token for validation. So reader has to guess that series is probably a replacement for user. Second problem, question is closed, so only source of info are comments. Third problem: concurrency. And it's not small because opening same site in 2 tabs at once is very frequent. And you would not want it to fail even 1% of the time. – Inviting 16/11, 2015 at 23:39

@Frogga one potential fix would be to store 2 tokens (previous and current) with each session in the db. If previous is received, that means current was not received and a new current is generated and returned. If current is received, current becomes previous and a new current is generated and returned. This however does not fix the above mentioned concurrency issues. – Flashing 6/1, 2016 at 11:12

"A new token is generated" ..! Why? Why every time should I create a new cookie? – Mend 27/6, 2016 at 17:45

Here's a golang implementation: github.com/janekolszak/rememberme – Siderostat 3/9, 2016 at 19:19

The answer says "If the series identifier is present and the hash of the token matches the hash for that series identifier, the user is considered authenticated. " The series identifier isn't hashed so this makes no sense. I think what he's trying to say is "If the series identifier is present in the cookie, and the hash of the token in the cookie matches the hash of the token stored in the table alongside that series identifier, the user is considered authenticated. " – Troll 8/11, 2016 at 17:3

As understand need to create hash for cookie name and value. Both write in mysql. At login page check if cookie with particular name (hash) exists. If yes, then select mysql where cookie name and value is the same as in mysql. If yes, then from mysql get user id and set sessions that user is logged in and id is mysql id. Am i correct? As understand cookie identifier is cookie name? – Caterpillar 15/1, 2017 at 14:43

I am wondering why would I need 2 random numers insteed of single token? Is someone says SECURITY, then I would say, heck lets use 100 random tokents then. – Marmara 2/6, 2017 at 6:36

You guys should read this article link, it tells us if a hacker accesses a victim's account, then the hacker has T_1, the victim has T_0, and when the victim access his account, he can know that someone accessed his account because he has T_0 (the unvalid token and the valid series). – Scraper 19/7, 2017 at 4:2

Yo made the updates 444 :D – Athabaska 27/10, 2017 at 19:46

"If someone manages to leak the database table, it does not give an attacker an open door for impersonating users" It does. But just until the user uses the site again. If someone steals series identifier and a token while the user is not accessing the site then it works like a charm. – Cobnut 23/2, 2018 at 13:19

@Papilionaceous I was going to ask exactly the same question. You are totally right, if the user has two tabs open, the will get logged out from both tabs (even if he was authenticated in the second). I suggest that the token gets updated on every login or logout and not on every call. – Numerator 29/9, 2018 at 16:20

@Cobnut it won't work though because when the user gets access to the database table, all they will get is the series and the hashed token. So if they created two cookies, one for each, the token will always fail because they've got a hashed version of the original – Occident 10/12, 2018 at 23:17

@ChrisMoschini how does the series prevent a DOS attack? What's to stop me from writting a script that tries all variations of the series cookie with the token just set to '1', it'll go through and log everyone out – Occident 10/12, 2018 at 23:25

@Cobnut Not if you simply treat the RememberMe token as a password and only store its HMAC. – Aubreir 19/3, 2019 at 15:38

Why not just IP based rate limiting? I get that hash_equals() will prevent timing leakage (which would take millions of requests to filter out network latency en server activity) but how is a 12char series lookup going to better protect you from DoS than a 64char token lookup? – Seedtime 19/8, 2021 at 7:50

Just in case others were a little confused by @Jacco's comment - "you should NOT read the 'improved' version", here is my synthesis. I implemented the "updated strategy described here (2015)" but found that there were frequent false alarms about cookie theft (mentioned by other comments above). These happen due to concurrent requests (multiple tabs opening at once), poor internet (new cookie not updating), and Chrome's load pre-request. The changing token after each request is the problem. Just follow paragonie.com/blog/2015/04/…. – Assemblage 9/10, 2021 at 1:52

Store their UserId and a RememberMeToken. When they login with remember me checked generate a new RememberMeToken (which invalidate any other machines which are marked are remember me).

When they return look them up by the remember me token and make sure the UserId matches.

Contravallation answered 28/10, 2008 at 21:9 Comment(1)

This can be brute forced in seconds. I'll just set my user_id to 1 and brute force all tokens. It'll give me access in seconds – Occident 10/12, 2018 at 23:21

I would store a user ID and a token. When the user comes back to the site, compare those two pieces of information against something persistent like a database entry.

As for security, just don't put anything in there that will allow someone to modify the cookie to gain extra benefits. For example, don't store their user groups or their password. Anything that can be modified that would circumvent your security should not be stored in the cookie.

Bremen answered 28/10, 2008 at 21:9 Comment(0)

Investigating persistent sessions myself I have found that it's simply not worth the security risk. Use it if you absolutely have to, but you should consider such a session only weakly authenticated and force a new login for anything that could be of value to an attacker.

The reason being of course is that your cookies containing your persistent session are so easily stolen.

4 ways to steal your cookies (from a comment by Jens Roland on the page @splattne based his answer on):

By intercepting it over an unsecure line (packet sniffing / session hijacking)
By directly accessing the user's browser (via either malware or physical access to the box)
By reading it from the server database (probably SQL Injection, but could be anything)
By an XSS hack (or similar client-side exploit)

Caren answered 28/10, 2008 at 21:9 Comment(1)

1. HTTPS is designed to prevent this. 2. Stay Logged In isn't the security problem here, you have bigger problems. 3. Same as 2. 4. This can be prevented by access-control policy and good input sanitation; if you don't take these steps, you again have bigger problems than Stay Logged In. – Flashbulb 8/6, 2012 at 18:45

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Improved Persistent Login Cookie Best Practice

Recommended topics

Hot tags