Avatar of Big Monty
Big Monty
Flag for United States of America asked on

security design question

I have a site where users can log in, and on the login screen there is a "Remember Me" checkbox. If the user checks it, their email will be written as a cookie and next time the user hits a page where they need to log in, I have a function that checks for the cookie value, and if it's value exists, logs them into the system with just the email.

My question is this, is it secure enough? The only way validation occurs JUST on the email is when a cookie value is present. Is there any way to "forge" a fake cookie with the correct email address?

I have no problem adding the password value as a cookie, encrypted of course. I'm just curious if this is enough.
Web DevelopmentSecurityWeb Languages and Standards

Avatar of undefined
Last Comment
Big Monty

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Dave Baldwin

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Big Monty

ASKER
An MD5 doesn't give them the ability to login with the email address

could you explain why please?
Dave Baldwin

MD5 (and SHA...) are one-way hashes.  You can't recreate the original string with anything less than a few supercomputers.  https://en.wikipedia.org/wiki/MD5

You can use the MD5 as a key to your database.  But if you have to login with the email address first, you can't see it in the cookie... if the cookie is the MD5.
Scott Fell

Here is an option I came up with https://www.experts-exchange.com/articles/18259/User-Log-In-Using-A-Token.html.  This does use a cookie, but it changes every time it is used.

Your answer will depend on what you are trying to protect.  look at the type of info here, if somebody hijacked my account on EE, there is not really much in the way of personal info that you can't find anywhere else.   Not too much harm.  We are always "logged in" until we clear our cookies.

This process wouldn't be very good for a bank.  You would want to force log in all the time.

An option could be to use the remember me to recognize a user and serve some options. But if it is something that needs to go into an admin panel or update private info, you would probably want to ask for a password again.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Big Monty

ASKER
Dave - gotcha. You're saying it can't be used on another computer because if it's hashed the chance of anyone snooping actually guessing the correct cookie to copy over is slim. Using a plain text email address increases the odds of it getting discovered.

Scott - that technique is a bit overkill for me right now, as I'm on deadline and don't want to rewrite the whole thing. Plus, the most personal data I'm keeping on the user is their hometown and their email address.

I'm currently using SHA256 on the password, I suppose I could keep that as a cookie instead of the email, just the thought of keeping a password, no matter its encryption, in a cookie goes against my own personal instinct :)
Dave Baldwin

Just use SHA256 to hash any unique data and use that for the cookie value.
SOLUTION
Scott Fell

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Big Monty

ASKER
thanks for the input :)
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.