Charles Miller's solution for Remain Logged In cookie?

B

BigBoobsMan

New Member
I was reading this answer about how /why/why not should I implement "remember me" option.However I'm more interested in this section\[quote\] If you DO decide to implement persistent login cookies, this is how you do it\[/quote\]why ?
  • I want to know how to do it properly
  • Big sites like Facebook are doing it , and I want to implement it also.
And so , I've read the article which is in that link .This is the summary of that link ( how to do it) :
  • The cookie should consist of the user's username, followed by a separator character, followed by some large random number (128 bits seems mind-bogglingly large enough to be acceptable).
  • The server keeps a table of number->username associations, which is looked up to verify the validity of the cookie. If the cookie supplies a random number and username that are mapped to each other in the table, the login is accepted.
  • At any time, a username may be mapped to several such numbers. Also, while incredibly unlikely, it does not matter if two usernames are mapped to the same random number.
  • A persistent cookie is good for a single login. When authentication is confirmed, the random number used to log in is invalidated and a brand new cookie assigned.
  • The server need not make the effort of deliberately trying to avoid re-assigning random numbers that have been used before: the chance of it happening is so low that even if it did, nobody would know to make use of it.
  • When a user logs out through some deliberate logout function, their current cookie number is also invalidated. The user also has an option somewhere to clear all persistent logins being remembered by the system, just in case.
  • Periodically, the database is purged of associations older than a certain time-period (three months, perhaps: the size of the table would be far more an issue than any possibilities of collision in a 128 bit random space).
  • The following user functions must not be reachable through a cookie-based login, but only through the typing of a valid password:
    • Changing the user's password
    • Changing the user's email address (especially if email-based password recovery is used)
    • Any access to the user's address, payment details or financial informationAny ability to make a purchaseResults
If the login cookie is compromised, the attacker has access to the common functions of the site as that user. This is inevitable whatever the cookie contains. However, the attacker can not:
  • Access sensitive user information
  • Spend the user's money
  • Recover the user's password and try it on other sites
  • Prevent the user from receiving notifications from the site of things that may have been done in their name
  • Share the stolen login with others
Questions.1 ) Is it possible for the cookie to be stolen even if FaceBook is over ssl connection (+secure cookie flag)? 2) (assuming he got the cookie) according to the solution above , the hacker will still be able to see messages + another sensitive data. ( although he wont be able to change information without typing password again). But is it actually a risk that I should take ? I mean Facebook took the risk , and if they've implemented it that way , why can't I do it also ? 3) I assume this is the most uptodate solution for "remember me". if there is another one which is better ,I'll be happy for the reference/s.
 
You must log in or register to reply here.
Back
Top