I want my website to have a checkbox that users can click so that they will not have to log in each time they visit my website. I know I will need to store a cookie on their computer to implement this, but what should be contained in that cookie?
Also, are there common mistakes to watch out for to keep this cookie from presenting a security vulnerability, which could be avoided while still giving the 'remember me' functionality?
This question is related to
security
cookies
remember-me
You could use this strategy described here as best practice (2006) or an updated strategy described here (2015):
This approach provides defense-in-depth. If someone manages to leak the database table, it does not give an attacker an open door for impersonating users.
Investigating persistent sessions myself I have found that it's simply not worth the security risk. Use it if you absolutely have to, but you should consider such a session only weakly authenticated and force a new login for anything that could be of value to an attacker.
The reason being of course is that your cookies containing your persistent session are so easily stolen.
4 ways to steal your cookies (from a comment by Jens Roland on the page @splattne
based his answer on):
I would store a user ID and a token. When the user comes back to the site, compare those two pieces of information against something persistent like a database entry.
As for security, just don't put anything in there that will allow someone to modify the cookie to gain extra benefits. For example, don't store their user groups or their password. Anything that can be modified that would circumvent your security should not be stored in the cookie.
Store their UserId and a RememberMeToken. When they login with remember me checked generate a new RememberMeToken (which invalidate any other machines which are marked are remember me).
When they return look them up by the remember me token and make sure the UserId matches.
Investigating persistent sessions myself I have found that it's simply not worth the security risk. Use it if you absolutely have to, but you should consider such a session only weakly authenticated and force a new login for anything that could be of value to an attacker.
The reason being of course is that your cookies containing your persistent session are so easily stolen.
4 ways to steal your cookies (from a comment by Jens Roland on the page @splattne
based his answer on):
I would store a user ID and a token. When the user comes back to the site, compare those two pieces of information against something persistent like a database entry.
As for security, just don't put anything in there that will allow someone to modify the cookie to gain extra benefits. For example, don't store their user groups or their password. Anything that can be modified that would circumvent your security should not be stored in the cookie.
Store their UserId and a RememberMeToken. When they login with remember me checked generate a new RememberMeToken (which invalidate any other machines which are marked are remember me).
When they return look them up by the remember me token and make sure the UserId matches.
I would store a user ID and a token. When the user comes back to the site, compare those two pieces of information against something persistent like a database entry.
As for security, just don't put anything in there that will allow someone to modify the cookie to gain extra benefits. For example, don't store their user groups or their password. Anything that can be modified that would circumvent your security should not be stored in the cookie.
Store their UserId and a RememberMeToken. When they login with remember me checked generate a new RememberMeToken (which invalidate any other machines which are marked are remember me).
When they return look them up by the remember me token and make sure the UserId matches.
I would store a user ID and a token. When the user comes back to the site, compare those two pieces of information against something persistent like a database entry.
As for security, just don't put anything in there that will allow someone to modify the cookie to gain extra benefits. For example, don't store their user groups or their password. Anything that can be modified that would circumvent your security should not be stored in the cookie.
Source: Stackoverflow.com