标签云

微信群

扫码加入我们

WeChat QR Code

I want my website to have a checkbox that users can click so that they will not have to log in each time they visit my website. I know I will need to store a cookie on their computer to implement this, but what should be contained in that cookie?

Also, are there common mistakes to watch out for to keep this cookie from presenting a security vulnerability, which could be avoided while still giving the 'remember me' functionality?


Check stackoverflow.com/questions/549/… (part II of top answer)

2018年07月17日03分51秒

if you are using ASP.NET, check out codeproject.com/Articles/779844/Remember-Me

2018年07月18日03分51秒

There is some very useful info over in Security SE ~ security.stackexchange.com/questions/19676/…

2018年07月18日03分51秒

see also:stackoverflow.com/questions/549/… you should NOT read the 'improved' version

2018年07月17日03分51秒

The problem with this is that you expose the username in the cookie, though this is what Gmail does. Why do you need both a series ID and a token? Wouldn't a bigger token be fine?

2018年07月17日03分51秒

Also, regarding this model, what it to prevent an attacker from stealing and than placing the cookie on his computer and deleting the cookie from the hacked computer. His computer would than be authenticated and updated as needed with out the hacked computer ever knowing? The only change would be that the hacked computers user would have to login again and set remember me. Whether or not the hacked user recognizes this would be uncertain.

2018年07月18日03分51秒

HiroProtagonist The Series Identifier is to prevent a DoS attack. Without it, I could quickly write a script hitting your site with every username and an invalid token, logging everyone on your site out.

2018年07月18日03分51秒

roverred If you just use a long token, and destroy all sessions for a user when any invalid token arrives, I can write a script that hits your site with every username and all 0's for the token to log all users out. Run it in a loop, no one can ever meaningfully login. If a valid Series token is required however before the server acts against sessions, the DoS attack is prevented.

2018年07月17日03分51秒

1. HTTPS is designed to prevent this. 2. Stay Logged In isn't the security problem here, you have bigger problems. 3. Same as 2. 4. This can be prevented by access-control policy and good input sanitation; if you don't take these steps, you again have bigger problems than Stay Logged In.

2018年07月17日03分51秒