Jump to content

Secure Remember Me

dannon

By dannon
in Application Design

 Share

Recommended Posts

dannon Member

dannon

Posted
  • Author
Posted (edited)

I have looked at Google's cookies and I have noticed that they don't have the PHPSESSID cookie. Is there some kind of reason for this? Or are they just not using php ?

 

I was thinking about storing a hash in my mysql database with an user id and then get the ID, but if someone finds out someone's hash then they will be able to access their account.

Also I have thought about storing and checking the IP aswell, but if the user is constantly moving locations then it will be a pain for the user.

Edited by dannon
Link to comment
Share on other sites
kicken Prolific Member

kicken

Posted
Posted

A remember me feature is inherently insecure. You have to use a cookie for it to work as that is the only thing that will survive from one browser run to the next. What you do is generate some sort of hash value unique to that user and store that as the cookie value. When the user comes on the site check for that cookie and if it exists, check if the hash is in the database. If the hash exists then log them in as the associated user.

 

Some things you may consider to try and improve the inherent insecurity would be to:

- re-generate the hash on each page load; if someone managed to steal it the window of opportunity to use it would be small

- require a password still to do any type of profile-changing or other "important" stuff

 

Link to comment
Share on other sites
dannon Member

dannon

Posted
  • Author
Posted

A remember me feature is inherently insecure. You have to use a cookie for it to work as that is the only thing that will survive from one browser run to the next. What you do is generate some sort of hash value unique to that user and store that as the cookie value. When the user comes on the site check for that cookie and if it exists, check if the hash is in the database. If the hash exists then log them in as the associated user.

 

Some things you may consider to try and improve the inherent insecurity would be to:

- re-generate the hash on each page load; if someone managed to steal it the window of opportunity to use it would be small

- require a password still to do any type of profile-changing or other "important" stuff

Thank you!

Link to comment
Share on other sites
dannon Member

dannon

Posted
  • Author
Posted

I have ran into a problem.

I have created a function to update the hash and sometimes it goes out of sync. I have also created a function to check the cookie hash against the database.

I got this to update the hash:

public function updateHash($user_id, $hash) {
       setcookie(C_HASH, $hash, time() + $this->rememberMeTime, '/'); //stored for a year.
       $query = "INSERT INTO " . TABLE_REMEMBER . " (hash, user_id) VALUES ('$hash', $user_id) ON DUPLICATE KEY UPDATE hash = '$hash''";
       $this->db->exec($query);
   }

and if I keep refreshing the page really quickly the cookie and the database hash goes out of sync. How can I fix this?

I'm guessing that it stops the function in the middle of it being processed.

Link to comment
Share on other sites
dannon Member

dannon

Posted
  • Author
Posted

If you are wondering.. I use this to check the hash:


public function checkRememberMe($hash) {
       $sth = $this->db->prepare("SELECT user_id, time, hash FROM " . TABLE_REMEMBER . " WHERE hash = :hash ");
       $pass = array(
           ":hash" => $hash
       );
       $sth->execute($pass);

       $rememberDetails = $sth->fetch(PDO::FETCH_ASSOC);

       if (!empty($rememberDetails)) {
           $hash2 = md5(crypt($this->misc->generateRandomString(32), rand()));
           $this->updateHash($rememberDetails['user_id'], $hash2);
           return $rememberDetails['user_id'];
       } else {
           $this->finishRemember = true;
           echo "Invalid remember me hash. Logging out.";
           echo C_HASH;
           $this->logout();
       }

       return 0;
   }

Link to comment
Share on other sites
Adam Advanced Member

Adam

Posted
Posted
I have looked at Google's cookies and I have noticed that they don't have the PHPSESSID cookie. Is there some kind of reason for this? Or are they just not using php ?

 

FYI "PHPSESSID" is just the default name for the session cookie in PHP. You can change it within your php.ini file. Google doesn't use PHP, but they have a cookie named "SID" which I'm guessing it their main session ID. Sessions are not PHP specific, but most web languages will take a similar approach.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.