What is the best way to implement remember me for a website

Question

I want my website to have a checkbox that users can click so that they will not have to log in each time they visit my website  I know I will need to store a cookie on their computer to implement this  but what should be contained in that cookie     Also  are there common mistakes to watch out for to keep this cookie from presenting a security vulnerability  which could be avoided while still giving the  remember me  functionality

User · Answer

Store their UserId and a RememberMeToken. When they login with remember me checked generate a new RememberMeToken (which invalidate any other machines which are marked are remember me).

When they return look them up by the remember me token and make sure the UserId matches.

User · Answer

Store their UserId and a RememberMeToken. When they login with remember me checked generate a new RememberMeToken (which invalidate any other machines which are marked are remember me).

When they return look them up by the remember me token and make sure the UserId matches.

User · Answer

Store their UserId and a RememberMeToken. When they login with remember me checked generate a new RememberMeToken (which invalidate any other machines which are marked are remember me).

When they return look them up by the remember me token and make sure the UserId matches.

User · Answer

I would store a user ID and a token  When the user comes back to the site  compare those two pieces of information against something persistent like a database entry   As for security  just don t put anything in there that will allow someone to modify the cookie to gain extra benefits  For example  don t store their user groups or their password  Anything that can be modified that would circumvent your security should not be stored in the cookie

User · Answer

Improved Persistent Login Cookie Best Practice  You could use this strategy described here as best practice  2006  or an updated strategy described here  2015     When the user successfully logs in with Remember Me checked  a login cookie is issued in addition to the standard session management cookie  The login cookie contains a series identifier and a token  The series and token are unguessable random numbers from a suitably large space  Both are stored together in a database table  the token is hashed  sha256 is fine   When a non-logged-in user visits the site and presents a login cookie  the series identifier is looked up in the database    If the series identifier is present and the hash of the token matches the hash for that series identifier  the user is considered authenticated  A new token is generated  a new hash for the token is stored over the old record  and a new login cookie is issued to the user  it s okay to re-use the series identifier   If the series is present but the token does not match  a theft is assumed  The user receives a strongly worded warning and all of the user s remembered sessions are deleted  If the username and series are not present  the login cookie is ignored     This approach provides defense-in-depth  If someone manages to leak the database table  it does not give an attacker an open door for impersonating users

User · Answer

Store their UserId and a RememberMeToken. When they login with remember me checked generate a new RememberMeToken (which invalidate any other machines which are marked are remember me).

When they return look them up by the remember me token and make sure the UserId matches.

User · Answer

I would store a user ID and a token  When the user comes back to the site  compare those two pieces of information against something persistent like a database entry   As for security  just don t put anything in there that will allow someone to modify the cookie to gain extra benefits  For example  don t store their user groups or their password  Anything that can be modified that would circumvent your security should not be stored in the cookie

User · Answer

Investigating persistent sessions myself I have found that it s simply not worth the security risk  Use it if you absolutely have to  but you should consider such a session only weakly authenticated and force a new login for anything that could be of value to an attacker   The reason being of course is that your cookies containing your persistent session are so easily stolen   4 ways to steal your cookies  from a comment by Jens Roland on the page  splattne based his answer on     By intercepting it over an unsecure line  packet sniffing   session hijacking  By directly accessing the user s browser  via either malware or physical access to the box  By reading it from the server database  probably SQL Injection  but could be anything  By an XSS hack  or similar client-side exploit

User · Answer

Improved Persistent Login Cookie Best Practice  You could use this strategy described here as best practice  2006  or an updated strategy described here  2015     When the user successfully logs in with Remember Me checked  a login cookie is issued in addition to the standard session management cookie  The login cookie contains a series identifier and a token  The series and token are unguessable random numbers from a suitably large space  Both are stored together in a database table  the token is hashed  sha256 is fine   When a non-logged-in user visits the site and presents a login cookie  the series identifier is looked up in the database    If the series identifier is present and the hash of the token matches the hash for that series identifier  the user is considered authenticated  A new token is generated  a new hash for the token is stored over the old record  and a new login cookie is issued to the user  it s okay to re-use the series identifier   If the series is present but the token does not match  a theft is assumed  The user receives a strongly worded warning and all of the user s remembered sessions are deleted  If the username and series are not present  the login cookie is ignored     This approach provides defense-in-depth  If someone manages to leak the database table  it does not give an attacker an open door for impersonating users

User · Answer

I would store a user ID and a token  When the user comes back to the site  compare those two pieces of information against something persistent like a database entry   As for security  just don t put anything in there that will allow someone to modify the cookie to gain extra benefits  For example  don t store their user groups or their password  Anything that can be modified that would circumvent your security should not be stored in the cookie

User · Answer

Improved Persistent Login Cookie Best Practice  You could use this strategy described here as best practice  2006  or an updated strategy described here  2015     When the user successfully logs in with Remember Me checked  a login cookie is issued in addition to the standard session management cookie  The login cookie contains a series identifier and a token  The series and token are unguessable random numbers from a suitably large space  Both are stored together in a database table  the token is hashed  sha256 is fine   When a non-logged-in user visits the site and presents a login cookie  the series identifier is looked up in the database    If the series identifier is present and the hash of the token matches the hash for that series identifier  the user is considered authenticated  A new token is generated  a new hash for the token is stored over the old record  and a new login cookie is issued to the user  it s okay to re-use the series identifier   If the series is present but the token does not match  a theft is assumed  The user receives a strongly worded warning and all of the user s remembered sessions are deleted  If the username and series are not present  the login cookie is ignored     This approach provides defense-in-depth  If someone manages to leak the database table  it does not give an attacker an open door for impersonating users

User · Answer

Improved Persistent Login Cookie Best Practice  You could use this strategy described here as best practice  2006  or an updated strategy described here  2015     When the user successfully logs in with Remember Me checked  a login cookie is issued in addition to the standard session management cookie  The login cookie contains a series identifier and a token  The series and token are unguessable random numbers from a suitably large space  Both are stored together in a database table  the token is hashed  sha256 is fine   When a non-logged-in user visits the site and presents a login cookie  the series identifier is looked up in the database    If the series identifier is present and the hash of the token matches the hash for that series identifier  the user is considered authenticated  A new token is generated  a new hash for the token is stored over the old record  and a new login cookie is issued to the user  it s okay to re-use the series identifier   If the series is present but the token does not match  a theft is assumed  The user receives a strongly worded warning and all of the user s remembered sessions are deleted  If the username and series are not present  the login cookie is ignored     This approach provides defense-in-depth  If someone manages to leak the database table  it does not give an attacker an open door for impersonating users

User · Answer

Investigating persistent sessions myself I have found that it s simply not worth the security risk  Use it if you absolutely have to  but you should consider such a session only weakly authenticated and force a new login for anything that could be of value to an attacker   The reason being of course is that your cookies containing your persistent session are so easily stolen   4 ways to steal your cookies  from a comment by Jens Roland on the page  splattne based his answer on     By intercepting it over an unsecure line  packet sniffing   session hijacking  By directly accessing the user s browser  via either malware or physical access to the box  By reading it from the server database  probably SQL Injection  but could be anything  By an XSS hack  or similar client-side exploit

User · Answer

I would store a user ID and a token  When the user comes back to the site  compare those two pieces of information against something persistent like a database entry   As for security  just don t put anything in there that will allow someone to modify the cookie to gain extra benefits  For example  don t store their user groups or their password  Anything that can be modified that would circumvent your security should not be stored in the cookie

[security] What is the best way to implement "remember me" for a website?

Examples related to security

Examples related to cookies

Examples related to remember-me