asked on security design question
I have a site where users can log in, and on the login screen there is a "Remember Me" checkbox. If the user checks it, their email will be written as a cookie and next time the user hits a page where they need to log in, I have a function that checks for the cookie value, and if it's value exists, logs them into the system with just the email.
My question is this, is it secure enough? The only way validation occurs JUST on the email is when a cookie value is present. Is there any way to "forge" a fake cookie with the correct email address?
I have no problem adding the password value as a cookie, encrypted of course. I'm just curious if this is enough.
My question is this, is it secure enough? The only way validation occurs JUST on the email is when a cookie value is present. Is there any way to "forge" a fake cookie with the correct email address?
I have no problem adding the password value as a cookie, encrypted of course. I'm just curious if this is enough.
Web DevelopmentSecurityWeb Languages and Standards
Last Comment
Big Monty
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
MD5 (and SHA...) are one-way hashes. You can't recreate the original string with anything less than a few supercomputers. https://en.wikipedia.org/wiki/MD5
You can use the MD5 as a key to your database. But if you have to login with the email address first, you can't see it in the cookie... if the cookie is the MD5.
You can use the MD5 as a key to your database. But if you have to login with the email address first, you can't see it in the cookie... if the cookie is the MD5.
Here is an option I came up with https://www.experts-exchange.com/articles/18259/User-Log-In-Using-A-Token.html. This does use a cookie, but it changes every time it is used.
Your answer will depend on what you are trying to protect. look at the type of info here, if somebody hijacked my account on EE, there is not really much in the way of personal info that you can't find anywhere else. Not too much harm. We are always "logged in" until we clear our cookies.
This process wouldn't be very good for a bank. You would want to force log in all the time.
An option could be to use the remember me to recognize a user and serve some options. But if it is something that needs to go into an admin panel or update private info, you would probably want to ask for a password again.
Your answer will depend on what you are trying to protect. look at the type of info here, if somebody hijacked my account on EE, there is not really much in the way of personal info that you can't find anywhere else. Not too much harm. We are always "logged in" until we clear our cookies.
This process wouldn't be very good for a bank. You would want to force log in all the time.
An option could be to use the remember me to recognize a user and serve some options. But if it is something that needs to go into an admin panel or update private info, you would probably want to ask for a password again.
ASKER
Dave - gotcha. You're saying it can't be used on another computer because if it's hashed the chance of anyone snooping actually guessing the correct cookie to copy over is slim. Using a plain text email address increases the odds of it getting discovered.
Scott - that technique is a bit overkill for me right now, as I'm on deadline and don't want to rewrite the whole thing. Plus, the most personal data I'm keeping on the user is their hometown and their email address.
I'm currently using SHA256 on the password, I suppose I could keep that as a cookie instead of the email, just the thought of keeping a password, no matter its encryption, in a cookie goes against my own personal instinct :)
Scott - that technique is a bit overkill for me right now, as I'm on deadline and don't want to rewrite the whole thing. Plus, the most personal data I'm keeping on the user is their hometown and their email address.
I'm currently using SHA256 on the password, I suppose I could keep that as a cookie instead of the email, just the thought of keeping a password, no matter its encryption, in a cookie goes against my own personal instinct :)
Just use SHA256 to hash any unique data and use that for the cookie value.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
thanks for the input :)
could you explain why please?