Security when using Cookies to Remember Me

开发者 https://www.devze.com 2023-03-15 06:54 出处：网络

I have implemented a login class in PHP, and want to create a remember me type functionality so users won\'t have to login with each visit.I have researched this a bit and was preparing to write it us

I have implemented a login class in PHP, and want to create a remember me type functionality so users won't have to login with each visit. I have researched this a bit and was preparing to write it using PHP setcookie(...) but then ran across this page: How开发者_如何学运维 to Create 'Remember Me' using jquery , store cookies. I was planning on writing this in PHP since it's my strength, but this page makes it look so easy in js: http://www.quirksmode.org/js/cookies.html

I am looking for a little guidance on gotchas for each method, and more specifically issues related to security. I just want to make sure I don't complicate the task or open any holes by providing this type of functionality.

Thanks, Kris

OpenID, facebook connect, twitter signin

I would advice you not to right(read below for cookie rememberme information) your own login system, because coding a secure system is difficult(storing password secure is HARD). It also saves you a bunch of coding. For example when you sign in at my openid example using google you can tell Google to remember you for 30 days. The code used for my example can be found at my github page.

Http_only

You should use http-only cookies to protect yourself against cookie stealing(Try not to use cookies from javascript). The php function setcookie also has a http-only flag. For session you could achieve this using something like:

<?php
ini_set("session.cookie_httponly", 1);
// or
session_set_cookie_params(0, NULL, NULL, NULL, TRUE);
?>

Do not Store data inside cookie

Also you should store as little information possible inside the cookies. Get the data from database(session). I think you easily accomplish rememberme cookies setting the expire of your sessions as high as you like, but not to high if you ask me.

Interesting read

This is also a pretty interesting read to improve session security: http://web.archive.org/web/20120417214604/http://segfaultlabs.com/files/pdf/php-session-security.pdf

It doesn't make much sense to create an identification token on the server, send it to the client and set there using Javascript compared to setting it at server-side in the first place.

More importantly, using Javascript makes it compatible with less clients, less robust, and less secure (as you cannot use HTTPOnly cookies).

Main problem is that when your site is used through not encrypted channel (regular HTTP, open WiFi network), everyone can get in possession of that cookie and gain an ability to login in behalf of your user.

There are few protection methods:

encoding browser/workstation-specific data in that cookie,
using HTTPS for everything,
using other storage (not cookies) - it is less possible that a script kiddie with Firesheep will try to capture localStorage data.

Also, as Gumbo mentioned (his comment is now gone and I have no idea, why), this applies for any session-based authentication. So, you PHP session has the same vulnerability (as it is still somehow cookie-based).