Sometimes, I come across certain web development frameworks which don't provide an authentication feature, such as in Authentication ASP.NET.
I was wondering what security measures need to be considered when implementing "Remember Me" login features, by hand coding?
Here are the things I usually do:
Store the user name in cookie. The user name is not encrypted.
Store a secret key in a cookie. The secret key is generated using one way function based on user name. The server will verify secret key against user name, to ensure this user name is not being changed.
Use HttpOnly in cookie. http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html
Anything else I have missed, which could possibly lead a security holes?
Use the “remember me” option to reduce how often you have to sign in with two-factor authentication (2FA) on the same web browser. It's safe to use on trusted computers, and lasts for 30 days.
Clicking the “Remember Me” box tells the browser to save a cookie so that if you close out the window for the site without signing out, the next time you go back, you will be signed back in automatically. Make sure that you have your browser set to remember cookies, or this function will not work.
The cookie should always be a random value that expires. There are cases where you can store the state as a cookie value and it not be a secuirty hazard, such as the users' preferred language, but this should be avoided as much as possible. Turning HttpOnlyCookies on, is a great idea.
Read A3: "Broken Authentication and Session Management" in the OWASP top 10 for 2010. One important point in this section is that https must be used for the entire session. If the session is lasting for a very long time, then this is even more important.
Also keep in mind that "Remember Me" creates a large window in which an attacker can "ride" on the session. This gives an attacker a very long time (Months?) in which he can deliver a CSRF attack. Even if you have CSRF protection an attacker can still ride on a session with XSS and XmlHttpRequest (HttpOnlyCookies will prevent a full hijack). "Remember Me" makes other threats like xss, csrf, sniffing more serious. As long as these vulnerabilities have been addressed, then you shouldn't have a problem with real world hackers.
The easiest (and secure) approach to implement a "remember me" feature would be to modify the session timeout your web.config file:
<configuration>
<system.web>
<sessionState timeout="60"/>
</sessionState>
</system.web>
</configuration>
Se the timeout to something high, maybe a month or so. If the "Remember Me" checkbox is unchecked then store a session variable of a more normal timeout (like 24 hours). Check this session variable in a header file for each request. If the checkbox is checked, then act normally and let asp.net take care of it.
If the session doesn't expire then it will be much easier to brute force. These values are large, but allowing a hacker to spend years trying to guess a session id is a vulnerability.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With