问题
I have a login page which asks for a username and password. This page has a checkbox "Remember Me".
Authentication is: For the username provided, convert the provided password to a hash using the salt stored with the user db record and compare the hash to the stored hash.
When a user ticks the box, what should I store in their cookie so they auto login next time they visit?
I was thinking that a good way was to store their username and a hashed value of their password in a cookie and to re authenticate the user on their next visit. The salt will be kept away stored in a database.
回答1:
It depends on the level of security you want to maintain. When I check a "Remember Me" box, I only want it to remember my username. I still want to provide my password as normal.
Storing username and hashed password in a cookie, seems like a bad idea to me.
回答2:
I would not store hashed passwords in the client cookie. I would create another abstraction between users and long lived sessions. I would start by reading the following article to get some ideas about the challenges:
http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/
The key part from that article is that not all logins should be created equal.
回答3:
If you really want to keep a user logged in then you should store a unique login token in a cookie, not the username or hashed password. When your server receives a login token you can compare it with your database of persistently-logged-in-users and see which user the token corresponds to. The server should store the login token, the username associated with that token, and an expiry time. Once a token has been used it should be invalidated so it cannot be reused.
This minimizes information leaked to the client, and it limits the opportunities for an attacker to recover a legitimate user's password if they manage to steal the cookie (which is relatively easy to do).
I highly recommend that you also set the secure flag on all your cookies so they are only sent across secure connections, and make sure you have a relatively short timeout on persistent logins. Also, it's a good idea to have additional authorization checks, such as making sure the login token is associated with a particular IP address or browser fingerprint, to help prevent casual attacks. This still won't seriously hinder a determined attacker but might dissuade some script kiddies.
Finally, please consider taking @Craig T's advice and only remember the username, rather than keeping a user logged in. Persistent logins are very dangerous so you should think carefully about the value your users get from this vs the potential costs.
Good on you for correctly storing your passwords in your DB! It's amazing how many people think they don't need salts.
来源:https://stackoverflow.com/questions/8237086/good-secure-way-to-remember-a-user-checkbox