PHP “Remember Me” security flaw?

Question

I\'m in the middle of coding a \'remember me\'-equipped login form, and so far the tutorials I\'ve read (partly to make sure I\'m doing it right) all say to store the encrypted

Answer 1

Usually when the server is requested to remember the user, it issues an additional cookie beside the normal session cookie, and this new string contains the username and a reasonable amount of random characters which make it unguessable. This is obviously saved in the database (for security reasons you may want to treat it like a password and thus salt and hash it), and the next time the user connects with the same browser (assuming the old session expired) the application receives the random string, checks the database, and if there's a match the user is authenticated.

An alternative is moving the session expiration time ahead of some amount.

What are the security holes here? Provided you use a good random generator, the only thing that can happen is that the user accesses the application from a shared browser and doesn't manually logs out when it ends.

The normal rules always apply since you are on an insecure channel: use HTTPS, otherwise whoever sits in between your computer and the server can steal cookies (either the session one or the remember-me one) and act as if it were you.

Bonus, this must-read by Jeff Atwood

Answer 2

If you want it secure, dont allow your users to keep them logged in.

When setting the session, make sure to bind the ipaddress to the session ID, so that if someone picks up a session later, it can only be done from the same Ip address. Yo can do this by keeping a database with (hashed) session ids + hashed ipaddresses. I use phps function http://php.net/manual/en/class.sessionhandler.php to set a session handler and match sessions with ipaddresses.

Answer 3

Never save passwords in any way (encrypted password which can be used to login is still a password) on client.

Use randomly generated key, safely stored on server. These keys can be revoked later unlike the encrypted passwords which will be valid until changed.

Using php you can generate random key like this md5(uniqid(mt_rand(), true)). For better safety store it salted and hashed in db.

Example table:

login_keys (
  user_id int,
  key char(40), # sha1
  salt char(15)
)

Also note you should enable the HTTP only cookie option.

Answer 4

I have encountered this same issue while working on my own website, the best way I found to solve it was to simply not remember passwords, only usernames, providing a faster loggin but not a less secure one. The fact is that there is no sure fire way to keep the passwords absolutely secure. Besides with new browsers, the user can have their browser remember it.

But if you must have a saved password, try this:

Have multiple cookies, 2 would be the easiest, and use one for an encrypted password, while the other held an encryption key. The password in the database would hold a further encrypted password, obtained by using your stored encryption key(s). When you are ready to check the password, extract the values and encrypt the password.

Hope this was helpful. Good luck!

Edit: I might have misunderstood this, if the user is still logged in, it is good practice to store a session variable.