Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

"Remember Me On This Computer" - How Should It Work?

Tags:

security

password-protection

remember-me

Looking at Gmail's cookies it's easy to see what's stored in the "remember me" cookie. The username/one-time-access-token. It could be implemented differently in cases where the username is secret, as well. But whatever... the thing is not very high security: you steal the cookie and you're ready to go.

My question is on the functional side, however: when do you wipe their access tokens? If a user logs in without clicking "remember me" on another machine, should it invalidate their access tokens on all machines? I'm asking about how this is traditionally implemented, and also how it should be implemented.

like image 206
Dan Rosenstark Avatar asked Jul 02 '09 14:07

Dan Rosenstark

People also ask

How does Remember me on this computer work?

Information. Clicking the “Remember Me” box tells the browser to save a cookie so that if you close out the window for the site without signing out, the next time you go back, you will be signed back in automatically. Make sure that you have your browser set to remember cookies, or this function will not work.

Why does remember me not work?

If you have set Duo to send you a push notification automatically, the "Remember me for 30 days" checkbox may be grayed out. If you want to reactivate this feature: Cancel the push by clicking the blue Cancel button in the lower right corner of the window.

How does Gmail Remember me work?

Looking at Gmail's cookies it's easy to see what's stored in the "remember me" cookie. The username/one-time-access-token. It could be implemented differently in cases where the username is secret, as well. But whatever... the thing is not very high security: you steal the cookie and you're ready to go.

1 Answers

I regularly use 2 or 3 machines simultaneously, and have "remember me" on all of them. If one of them disconnected the others that would be very annoying, so I wouldn't recommend it.

Traditionally it would use a time-out, the cookie expires after a certain length of time (or when the user signs out).

It all depends on your security model. If you are writing an internal company application where you only ever expect one user to be on one computer then you might want to have tighter restrictions than gmail.

Also, bear in mind the possibility of Denial of Service - if an action on one machine can force another machine to be unusable this could be use to prevent a legitimate user from taking control back in certain scenarios.

like image 113
Nick Fortescue Avatar answered Sep 22 '22 12:09

Nick Fortescue
Sign in to Comment

Related questions

Why have "while(1);" in XmlHttpRequest response? [duplicate]
IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier
Example sites with broken security certs [closed]
Is checking the referrer enough to protect against a CSRF attack?
How secure is .htaccess password protection?
How do I generate a SALT in Java for Salted-Hash?
What benefit is conferred by TCP timestamp?
Difference between CSRF and X-CSRF-Token
Cannot use a leading ../ to exit above the top directory
Signed executables under Linux
Docker Store Vs Docker Hub
In .NET 4.0, how do I 'sandbox' an in-memory assembly and execute a method?
Detecting Ajax in PHP and making sure request was from my own website
Securely Erasing Password in Memory (Python)
HMAC vs simple MD5 Hash
Is it really insecure to build HTML strings in Javascript?
How to secure Elmah.axd?
Spring security vs Apache Shiro [duplicate]
Hide X-Powered-By (nginx)
Spring MVC - Checking if User is already logged in via Spring Security?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!