Secure "Remember Me" Implementation

benhaynes asked for this feature almost 3 years ago — 1 comment

benhaynes commented almost 3 years ago Admin

@freen: Research indicates:

Making a session indefinite isn't a fantastic way to go, owing to the resulting: paralysis of server-side session data garbage collection increased exposure to session hijacking (they should expire on a regular basis, between 10 and 60 minutes) These posts indicate that the best route is to have a OneToMany "remember_me" table, mapping user ids to random tokens. Allows for global session invalidation by user. Etc etc.

@jel-massih: I think most standard and secure way is to just use a token cookie with series identifier.

so rememberme table will have "userId", "Token","SeriesId". SeriesID represents a set of logins (since deletes and recreates new token, same series ID on succesful login with cookie.)

Then if cookie is hijacked, if user logs in with a crapped out cookie, invalidates all tokens, ending the attackers kill spree.

Join the discussion!

with GitHub to comment