Stealing "remember me" cookies a valid threat?

Question

I'm using SSL to transmit all data. HTTP is completely disabled. Short of malware, or accessing someones physical machine (both of which are very hard to prevent from server side), I don't see how an attacker could steal a login cookie.

Thus, is it okay to not worry about stealing a login cookie?

The complexity to properly implement a non-stealable login cookie, that still allows users to have sessions across different browsers and different machines is higher than the material it's safe-guarding.

Thus, I believe it's okay to not safe guard against copy and pasting cookie data from machine to machine.

Is this a valid trade off, or am I forgetting something critical here.

Answer 1

You do need to ensure that you have the Secure flag set on your cookie, because you can't generally prevent people from attempting to access your site over non-SSL. Otherwise, I believe you should be OK.

That said, I'd suggest taking reasonable precautions. For example:

• Never include any data in cookies or on the wire that could be used to derive the user's password.
• If possible, set the HttpOnly flag on sensitive cookies so that any potentially-untrusted JavaScript can't steal them.

Answer 2

Yes, it's a valid threat.

A "remember me" cookie places the security of your web service out of your control, by definition. Now, in general, anyone (especially a sophisticated attacker) who can hijack that cookie can log in as that user.

Let's take a real-world example: Google uses similar cookies for its services. You can be logged in for weeks at a time. From what I have observed, the way it mitigates cookie-theft attacks is by invalidating the cookie if they detect suspicious activity on the server side. For example, if I'm usually logged in from California, and I suddenly log in from another state/country (or have concurrent sessions from somewhere else!) I might be logged out and forced to re-authenticate. Not fool-proof, of course, but usage patterns could be used to thwart some attacks.

Also, remember that a cookie is going to be browser-specific. For example, if the browser fingerprint was used to determine that the user just logged in from a different OS/browser/etc, that might be a good time to invalidate the cookie. Maybe you could get fancy and allow a certain amount of leeway if a browser's minor version is upgrade, but flag it if the browser version ever gets downgraded.