3

Today I have a need to design a persistant login system. I have followed this blog, http://www.bennadel.com/blog/1213-creating-a-remember-me-login-system-in-coldfusion.htm

Basically as per this blog , the whole system involves 3 steps,

  1. If a user checks Remember Me while login, then an encrypted format of the userid will be stored in the Cookie.

  2. Now when the user comes to the site after 1/2 days when the session is expired, Then the cookies will be checked . If userid cookie is found then it will be decrypted and stored in the SESSION to force login.

  3. Now in the onRequest() method SESSION.userid is checked to check the login status.

Till this everything looks good.

But what I did is, I copied the cookie from firefox and created in chrome. And now I am able to successfully login as that user in chrome. Isn't this a big security issue?

Could anyone please suggest what should we do to prevent this?

user3427540
  • 1,132
  • 1
  • 13
  • 27
  • 5
    Yes it is a security issue, but than doing persistent logins in themselves are a security issue. You could use some of the browsers user agent string or similar in your cookie value to check it is the same browser, etc... but that would not really help massively. Really it depends on the application and how secure the login needs to be, e.g. how sensitive is the data behind the login. If it is very sensitive then you should not be allowing persistent login in the first place. – andrewdixon Feb 25 '15 at 14:48

1 Answers1

2

Yes, it's a security risk.

Persistent login functionality is a bit of a minefield and nothing is 100% resistant to attack.

You can mitigate this somewhat by treating your persistent cookies like a single use password. If I understand correctly, your system is hashing the user's ID, meaning that the cookie will hold the same value indefinitely. Instead it should be a cryptographically strong random string which is regenerated on each authentication.

There are several schools of thought on how best to deal with persistent logins and this question has been discussed many times before.

A few salient points:

  • The cookie itself is just as sensitive as a password and shouldn't be stored in the DB without being hashed.

  • When the user authenticates with the cookie, you remove it from the database and issue a new one.

  • The cookie should only ever be sent over HTTPS, which means either your entire site needs to run under HTTPS, or you can use second cookie that simply tells the system a secure persistent cookie exists, and can force a redirect to a secure page to authenticate.

  • Users logged in with a persistent cookie should still have limited access to your system. Particularly sensitive information or actions should still be locked behind a login challenge.

  • Persistent cookies should only be valid for a fixed time period. How long this is would depend on the sensitivity of the application.

I would very much recommend you do some reading on the subject to get an idea of best practice. Login functionality is very easy to implement, and terribly complicated to get right.

Community
  • 1
  • 1
Gary Stanton
  • 1,414
  • 12
  • 27