security design question

I have a site where users can log in, and on the login screen there is a "Remember Me" checkbox. If the user checks it, their email will be written as a cookie and next time the user hits a page where they need to log in, I have a function that checks for the cookie value, and if it's value exists, logs them into the system with just the email.

My question is this, is it secure enough? The only way validation occurs JUST on the email is when a cookie value is present. Is there any way to "forge" a fake cookie with the correct email address?

I have no problem adding the password value as a cookie, encrypted of course. I'm just curious if this is enough.
LVL 34
Big MontyWeb Ninja at largeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
I think that others generate a key that is stored in the database instead of using the email or password in the cookie.  Even if it is just and MD5 of the email address, it's much more obscure than the email address itself.

If someone sat down at the computer and found the cookie, they could copy it to another computer and use it.  An MD5 doesn't give them the ability to login with the email address.  The session id might be more secure because it changes every time they connect with a new session.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big MontyWeb Ninja at largeAuthor Commented:
An MD5 doesn't give them the ability to login with the email address

could you explain why please?
Dave BaldwinFixer of ProblemsCommented:
MD5 (and SHA...) are one-way hashes.  You can't recreate the original string with anything less than a few supercomputers.

You can use the MD5 as a key to your database.  But if you have to login with the email address first, you can't see it in the cookie... if the cookie is the MD5.
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
Here is an option I came up with  This does use a cookie, but it changes every time it is used.

Your answer will depend on what you are trying to protect.  look at the type of info here, if somebody hijacked my account on EE, there is not really much in the way of personal info that you can't find anywhere else.   Not too much harm.  We are always "logged in" until we clear our cookies.

This process wouldn't be very good for a bank.  You would want to force log in all the time.

An option could be to use the remember me to recognize a user and serve some options. But if it is something that needs to go into an admin panel or update private info, you would probably want to ask for a password again.
Big MontyWeb Ninja at largeAuthor Commented:
Dave - gotcha. You're saying it can't be used on another computer because if it's hashed the chance of anyone snooping actually guessing the correct cookie to copy over is slim. Using a plain text email address increases the odds of it getting discovered.

Scott - that technique is a bit overkill for me right now, as I'm on deadline and don't want to rewrite the whole thing. Plus, the most personal data I'm keeping on the user is their hometown and their email address.

I'm currently using SHA256 on the password, I suppose I could keep that as a cookie instead of the email, just the thought of keeping a password, no matter its encryption, in a cookie goes against my own personal instinct :)
Dave BaldwinFixer of ProblemsCommented:
Just use SHA256 to hash any unique data and use that for the cookie value.
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
For what you are doing it is probably fine.  I agree with you though, not to put a hashed password in a cookie.  The gist of the article is to create some type of random hash.  Store that in the cookie and in the database along with the username and hashed (using different hash) password.  Once the  user logs in, change the hashed you store in the cookie and the user table.   You can make that as simple or complex as you want. Regenerating like this is one type of safeguard.

From there you can use anything in the user table as your password if you have a more secure item or page you want to protect.  If you are just storing emails, then ask them to submit their email address to verify. Or if you are storing a password, ask for their password and match the hashed input with the already hashed data in the db.

I think one of the biggest fears would be your user at starbucks logs in and somebody with nothing better to do hijacks their session.   All my sites that require log in I run over https on every page.
Big MontyWeb Ninja at largeAuthor Commented:
thanks for the input :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.