directus/directus

Secure "Remember Me" Implementation

benhaynes asked for this feature about 1 year ago — 1 comment

benhaynes commented about 1 year ago Admin

@freen: Research indicates:

Making a session indefinite isn't a fantastic way to go, owing to the resulting: paralysis of server-side session data garbage collection increased exposure to session hijacking (they should expire on a regular basis, between 10 and 60 minutes) These posts indicate that the best route is to have a OneToMany "remember_me" table, mapping user ids to random tokens. Allows for global session invalidation by user. Etc etc.

http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/ http://stackoverflow.com/a/11541271/739373

@jel-massih: I think most standard and secure way is to just use a token cookie with series identifier.

so rememberme table will have "userId", "Token","SeriesId". SeriesID represents a set of logins (since deletes and recreates new token, same series ID on succesful login with cookie.)

Then if cookie is hijacked, if user logs in with a crapped out cookie, invalidates all tokens, ending the attackers kill spree.

Join the discussion!

Sign-in with GitHub to comment