Secure Remember Me

[dannon]

Hi, I am working on a login form and I am trying to add a secure remember me feature as I don't really trust cookies because people can change those.

So how can I create a secure remember me feature?

[dannon]

I have looked at Google's cookies and I have noticed that they don't have the PHPSESSID cookie. Is there some kind of reason for this? Or are they just not using php ?

 

I was thinking about storing a hash in my mysql database with an user id and then get the ID, but if someone finds out someone's hash then they will be able to access their account.

Also I have thought about storing and checking the IP aswell, but if the user is constantly moving locations then it will be a pain for the user.

Edited October 21, 2012 by dannon

[kicken]

A remember me feature is inherently insecure. You have to use a cookie for it to work as that is the only thing that will survive from one browser run to the next. What you do is generate some sort of hash value unique to that user and store that as the cookie value. When the user comes on the site check for that cookie and if it exists, check if the hash is in the database. If the hash exists then log them in as the associated user.

 

Some things you may consider to try and improve the inherent insecurity would be to:

- re-generate the hash on each page load; if someone managed to steal it the window of opportunity to use it would be small

- require a password still to do any type of profile-changing or other "important" stuff

 

[dannon]

A remember me feature is inherently insecure. You have to use a cookie for it to work as that is the only thing that will survive from one browser run to the next. What you do is generate some sort of hash value unique to that user and store that as the cookie value. When the user comes on the site check for that cookie and if it exists, check if the hash is in the database. If the hash exists then log them in as the associated user.

 

Some things you may consider to try and improve the inherent insecurity would be to:

- re-generate the hash on each page load; if someone managed to steal it the window of opportunity to use it would be small

- require a password still to do any type of profile-changing or other "important" stuff

Thank you!

[dannon]

I have ran into a problem.

I have created a function to update the hash and sometimes it goes out of sync. I have also created a function to check the cookie hash against the database.

I got this to update the hash:

public function updateHash($user_id, $hash) {
       setcookie(C_HASH, $hash, time() + $this->rememberMeTime, '/'); //stored for a year.
       $query = "INSERT INTO " . TABLE_REMEMBER . " (hash, user_id) VALUES ('$hash', $user_id) ON DUPLICATE KEY UPDATE hash = '$hash''";
       $this->db->exec($query);
   }

and if I keep refreshing the page really quickly the cookie and the database hash goes out of sync. How can I fix this?

I'm guessing that it stops the function in the middle of it being processed.

[dannon]

If you are wondering.. I use this to check the hash:

public function checkRememberMe($hash) {
       $sth = $this->db->prepare("SELECT user_id, time, hash FROM " . TABLE_REMEMBER . " WHERE hash = :hash ");
       $pass = array(
           ":hash" => $hash
       );
       $sth->execute($pass);

       $rememberDetails = $sth->fetch(PDO::FETCH_ASSOC);

       if (!empty($rememberDetails)) {
           $hash2 = md5(crypt($this->misc->generateRandomString(32), rand()));
           $this->updateHash($rememberDetails['user_id'], $hash2);
           return $rememberDetails['user_id'];
       } else {
           $this->finishRemember = true;
           echo "Invalid remember me hash. Logging out.";
           echo C_HASH;
           $this->logout();
       }

       return 0;
   }

[dannon]

I have created a new topic.

[Adam]

I have looked at Google's cookies and I have noticed that they don't have the PHPSESSID cookie. Is there some kind of reason for this? Or are they just not using php ?

 

FYI "PHPSESSID" is just the default name for the session cookie in PHP. You can change it within your php.ini file. Google doesn't use PHP, but they have a cookie named "SID" which I'm guessing it their main session ID. Sessions are not PHP specific, but most web languages will take a similar approach.