Secure "Remember me" in the web application

I am new to webdev in

My problem is how to provide a secure Remember Me functionality. At the moment I am serializing the object into a cookie for future user authentication.

But now I thought that if someone copies my cookie, they can log in with the hacked account. Is there a more secure version for remembering the username between different sessions?



source to share

2 answers

"Remember me". The cookie usually contains a long session key. You can make it harder to use a stolen cookie by storing more information about the computer environment in which the cookie was created and check this information before accepting a cookie. This is called the "device fingerprint". It can be quite accurate, but it is not very easy to make and not 100% safe.

The IP number can be part of the device's fingerprint, but the IP numbers on mobile devices change very often, so this will significantly reduce the value of the cookie. You can check the HTTP header fields like "User-Agent", "Accept", "Accept-Language", etc. These fields will usually be different in two different browsers. You can use javascript and check os version, java version, etc. Etc.

Storing the device's fingerprint on the server along with the session key will make the remember-me-cookie a little stronger. However, it is still not very secure. An attacker who steals a cookie can probably collect all this information as well.

PS: Also remember that the user must be able to deactivate the mem-me-cookie if he knows that the cookie is lost, that is, if his computer is stolen.



You can store some additional information on the IP address of the cookie client as.



All Articles