Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Implementing remember me with token and series across multiple devices

I am attempting to implement a "remember me" utility using the system outlined here: Improved persistent login cookie

However there is an issue with the logic here for me and was wondering if anyone can clear this up for me.

  • A user is given a session ID. This a randomly generated string and is persistent over the lifetime of the user's account.

  • A user is given a token ID. This is a randomly generated string and is recreated every time the user successfully logs in.

Both of these values are stored as signed cookies on the user's machine and in the database.

The idea is that if someone manages to spoof the user's token and series and log-in as the user then they will generate a new token ID. The next time the legitimate user attempts to log-in then they will have a matching series but an invalid token thus notifying the system that a security breach has taken place and any necessary action can be taken (clearing the user's token).

This is great. However what happens when a user attempts to use my application from multiple devices or browsers? Say a user logs into my service with Chrome and checks remember me. Next time they log-in via Firefox and also selects remember me. A new token will have been generated so that the next time the user attempts to login with Chrome a false theft would be triggered - no?

If this is the case how can I implement this solution more reliably? I am well aware that cookie based authorisation is by it's very nature less secure and would not allow a cookie authorised user to perform any damaging actions such as purchases.

like image 242
George Reith Avatar asked Sep 22 '13 12:09

George Reith


People also ask

How do you implement Remember me on a website?

Clicking the “Remember Me” box tells the browser to save a cookie so that if you close out the window for the site without signing out, the next time you go back, you will be signed back in automatically. Make sure that you have your browser set to remember cookies, or this function will not work.

Which of the following should be used to construct a Remember Me token?

Which of the following should be used to construct a "remember me" token? Your application communicates with a third-party JSON API over the Internet. The API is accessed using an HTTPS connection, which is based on a self-signed certificate.

Is remember me secure?

The “remember me” option is safe to use on computers and devices that you can trust to protect your browser. It doesn't defeat the purpose of 2FA because the convenience it provides is limited to each computer and browser that you choose to use it on.


1 Answers

The original post that the "Improved persistent login cookie" refers, (found here: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/) states:

The cookie should consist of the user's username, followed by a separator character, followed by some large random number (128 bits seems mind-bogglingly large enough to be acceptable). The server keeps a table of number->username associations, which is looked up to verify the validity of the cookie. If the cookie supplies a random number and username that are mapped to each other in the table, the login is accepted.

At any time, a username may be mapped to several such numbers

So, the user can have many persistent tokens at the same time.

like image 150
1615903 Avatar answered Oct 13 '22 04:10

1615903