What is the best way to implement “remember me” for a website? [closed]

by

Improved Persistent Login Cookie Best Practice

You could use this strategy described here as best practice (2006) or an updated strategy described here (2015):

  1. When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.
  2. The login cookie contains a series identifier and a token. The series and token are unguessable random numbers from a suitably large space. Both are stored together in a database table, the token is hashed (sha256 is fine).
  3. When a non-logged-in user visits the site and presents a login cookie, the series identifier is looked up in the database.
    1. If the series identifier is present and the hash of the token matches the hash for that series identifier, the user is considered authenticated. A new token is generated, a new hash for the token is stored over the old record, and a new login cookie is issued to the user (it’s okay to re-use the series identifier).
    2. If the series is present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user’s remembered sessions are deleted.
    3. If the username and series are not present, the login cookie is ignored.

This approach provides defense-in-depth. If someone manages to leak the database table, it does not give an attacker an open door for impersonating users.

More Related Contents:

  1. Are HTTP cookies port specific?
  2. Where to store JWT in browser? How to protect against CSRF?
  3. What is the best way to prevent session hijacking?
  4. Should JWT be stored in localStorage or cookie? [duplicate]
  5. How to manually decrypt an ASP.NET Core Authentication cookie?
  6. Remember me Cookie best practice?
  7. Setting cookie in iframe – different Domain
  8. What encryption algorithm is best for encrypting cookies?
  9. Fundamental difference between Hashing and Encryption algorithms
  10. Disable browser ‘Save Password’ functionality
  11. How to redirect all HTTP requests to HTTPS
  12. If you can decode JWT, how are they secure?
  13. JWT (JSON Web Token) automatic prolongation of expiration
  14. Are querystring parameters secure in HTTPS (HTTP + SSL)? [duplicate]
  15. Will web browsers cache content over https
  16. How to read a HttpOnly cookie using JavaScript
  17. Disable firefox same origin policy
  18. SSL and man-in-the-middle misunderstanding
  19. Is it possible to reverse a SHA-1?
  20. With HTTPS, are the URL and the request headers protected as the request body is?
  21. What is cross site scripting?
  22. What algorithm should I use to hash passwords into my database? [duplicate]
  23. What is happening when I have two CSP (Content Security Policies) policies – header & meta?
  24. Username and password in https url
  25. What is the difference between a cer, pvk, and pfx file?
  26. Why do salts make dictionary attacks ‘impossible’?
  27. If you use HTTPS will your URL params will be safe from sniffing? [duplicate]
  28. When the bots attack! [closed]
  29. Should I impose a maximum length on passwords?
  30. Google Authenticator available as a public service?

Leave a Comment