Link to home
Create AccountLog in
Avatar of Big Monty
Big MontyFlag for United States of America

asked on

security design question

I have a site where users can log in, and on the login screen there is a "Remember Me" checkbox. If the user checks it, their email will be written as a cookie and next time the user hits a page where they need to log in, I have a function that checks for the cookie value, and if it's value exists, logs them into the system with just the email.

My question is this, is it secure enough? The only way validation occurs JUST on the email is when a cookie value is present. Is there any way to "forge" a fake cookie with the correct email address?

I have no problem adding the password value as a cookie, encrypted of course. I'm just curious if this is enough.
ASKER CERTIFIED SOLUTION
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Big Monty

ASKER

An MD5 doesn't give them the ability to login with the email address

could you explain why please?
MD5 (and SHA...) are one-way hashes.  You can't recreate the original string with anything less than a few supercomputers.  https://en.wikipedia.org/wiki/MD5

You can use the MD5 as a key to your database.  But if you have to login with the email address first, you can't see it in the cookie... if the cookie is the MD5.
Here is an option I came up with https://www.experts-exchange.com/articles/18259/User-Log-In-Using-A-Token.html.  This does use a cookie, but it changes every time it is used.

Your answer will depend on what you are trying to protect.  look at the type of info here, if somebody hijacked my account on EE, there is not really much in the way of personal info that you can't find anywhere else.   Not too much harm.  We are always "logged in" until we clear our cookies.

This process wouldn't be very good for a bank.  You would want to force log in all the time.

An option could be to use the remember me to recognize a user and serve some options. But if it is something that needs to go into an admin panel or update private info, you would probably want to ask for a password again.
Dave - gotcha. You're saying it can't be used on another computer because if it's hashed the chance of anyone snooping actually guessing the correct cookie to copy over is slim. Using a plain text email address increases the odds of it getting discovered.

Scott - that technique is a bit overkill for me right now, as I'm on deadline and don't want to rewrite the whole thing. Plus, the most personal data I'm keeping on the user is their hometown and their email address.

I'm currently using SHA256 on the password, I suppose I could keep that as a cookie instead of the email, just the thought of keeping a password, no matter its encryption, in a cookie goes against my own personal instinct :)
Just use SHA256 to hash any unique data and use that for the cookie value.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
thanks for the input :)