Menu
As part of a larger project I'm working on, we're looking to integrate a 'remember me' function in the user login process. One suggestion from the lead developer was to simply store their PHP session_id() in a cookie and in their record within the database. When they next visit the site, look up the session_id from the cookie and retrieve their credentials.
This works great for users who are based at one computer, but goes against the grain of cloud computing (it's a web app) where the user might access the site from different computers, and may want the option to remember his details on them all. For example, setting their session_id on one machine, and then re-setting it on another means they will be logged out of the first machine.
I'm inclined to suggest to the team that we create a separate database table which has the following structure:
+----------------+----------------+------------------+--------------------+
| user_id | session_id | ip_address | initial_login_date |
+----------------+----------------+------------------+--------------------+
| 5 | 123456789101 | 192.168.0.1 | 1305194639 |
+----------------+----------------+------------------+--------------------+
| 5 | 021456789101 | 255.255.255.255 | 1305194639 |
+----------------+----------------+------------------+--------------------+
All we then need to do is look up their session_id in the table, and fetch the user_id.
Is there a better way to achieve this?
552
Some web applications may need a "Remember Me" functionality. This means that, after a user login, user will have access from same machine to all its data even after session expired.
Clicking the “Remember Me” box tells the browser to save a cookie so that if you close out the window for the site without signing out, the next time you go back, you will be signed back in automatically. Make sure that you have your browser set to remember cookies, or this function will not work.
Is “remember me” safe? Doesn't it defeat the purpose of 2FA? The “remember me” option is safe to use on computers and devices that you can trust to protect your browser. It doesn't defeat the purpose of 2FA because the convenience it provides is limited to each computer and browser that you choose to use it on.
This article helped me a lot
166
I think'd I'd store an unique identfier in a cookie, and use it instead of the ip, as It is subject to change.
40
First of all: You need to know that having such a feature creates a lot larger time window for an attacker than a regular sessions does. Because sessions are rather meant to be short (few minutes/hours) while such a remember me feature is usually valid for a long term (several days, weeks or even months).
An attack on that would be similar to session attacks where an attacker aims for a valid identifier that is not just used for identification but also for authentication. That’s why you should consider whether a remembered user should have different privileges than a regularly authenticated user.
If you want to implement such a feature, do not use the original authentication credentials but use a random and unique token to identify the user and machine and store it on the server. You should also make sure that the user has the control of all login sessions and remember me tokens so that he/she can revoke such sessions/remember me tokens if necessary.
24
Nothing is wrong with storing multiple persistent session ids for a user per computer. It may be better if you store a "last active timestamp" to help disallow simultaneous use of the same account from the different computers.
Always use a special flag for persistent cookie logins and request real login for critical functions, like changing passwords etc.
Also, update the persistent cookie everytime the user logins to your site as an additional security measure.
I also support storing IPs and disallowing persistent logins if the IP mismatches. It is better not auto-login the user than the site being cracked.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
