Jump to content

$_COOKIE security pitfalls - What should I look out for


Darghon

Recommended Posts

Hi all,

 

I've currently been using a cookie as a "remind me" value for keeping users logged in for an entire day.

Now, after googling about cookie security it all comes down to the same underlying statements.

 

Cookies are not secure, and any data it contains is by extension, also not secure.

 

Now, due to the fact that I need the "remind me" functionality, I was wondering what the best practice for this is.

 

All my users have a UUID assigned to them, which is a 36-char long random string (in a specific pattern).

At the moment, I store that UUID in the cookie, and if the system finds it, it checks if the user exists, and re-assigns the session if it expired, within the valid period of the cookie.

 

Now, what should I do to make this better?

Any suggestions are welcome.

 

Thanks

Link to comment
Share on other sites

There is nothing more you need to do. It sounds like you understand and have implemented the things that are typically recommended.

 

What I would suggest is that you also include a cookie that has the user's username. Check for a match on both items, which will insure that even if someone was to penetrate the UUID scheme, they won't be able to impersonate someone else without also knowing the username that goes with the UUID.

 

And of course, the most important thing is that you are using HTTPS so that the conversations and disclosure of data across the internet is protected from sniffing.

Link to comment
Share on other sites

The implementation is not secure.

 

First off, UUIDs are not meant for security purposes, and there's no guarantee whatsoever that they're difficult to guess. The only promise is that they're unique (with a reasonably high probability). Some UUID implementations do use secure random numbers, but others are simply time-based.

 

EIther way, using constant plaintext IDs as authenticators is the worst possible choice, because anybody who manages to obtain the IDs effectively gets unlimited access to the accounts. This is even worse than plaintext passwords, because passwords can at least be changed easily. If you're using the UUIDs for other purposes as well, they may also be leaked all over the place.

 

It also doesn't sound like you've even thought about a mechanism to terminate those persistent sessions or detect obvious abuse. What happens when the user hits the log-out button? What happens after 24h when the session should expire? Are you just hoping that the user will respect the cookie timeout? You understand that this can be completely ignored, right?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.