Secure remember me function?

[eluser]Adam Griffiths[/eluser]
I am in the middle of developing an authentication library. I have had the login feature for some time now but now I am adding in a remember me function.

I use the term function as loosely as possible, it's not a function just a few extra lines of code. Anyway, it sets a cookie with a hash of the users username. I was thinking of checking for this cookie in the "logged_in" function, and then setting session variables. But then I realised it was open to many security holes.

I need to get around the question "What happens if a script kiddie starts stealing cookies?" They could have access to the whole system.

Any ideas on methods to securely keep people logged in for multiple sessions?

Thanks.

[eluser]dcunited08[/eluser]
Well, you could include in that cookie a copy of the requesting IP address. The security implication is that it could be faked as well. If you are running a forum or something similar, I do not see much of a problem. If the application is a bank site, I would not add this functionality. Are you including the username and then the hash or only the hash?

[eluser]Adam Griffiths[/eluser]
[quote author="dcunited08" date="1225757775"]Well, you could include in that cookie a copy of the requesting IP address. The security implication is that it could be faked as well. If you are running a forum or something similar, I do not see much of a problem. If the application is a bank site, I would not add this functionality. Are you including the username and then the hash or only the hash?[/quote]

The problem with including an IP address, is that quite a number of people have dynamic IP's, so their IP would change.

The main reason to include this function is for convenience. But I can see your point.

I had just included a hash of the username with a salt of the 32 character encryption key.

I am trying to think of a way that the cookie data can be checked on the server side somehow. But have no idea what could be checked server side.

[eluser]dcunited08[/eluser]
The primary dogma of security is you do not trust the user, therefore you do not trust the remember-me cookie to be on the same system. The dynamics IP issue also happens with NATs as well, say I have user A and B behind a corporate firewall, the would have the same IP address, or they may switch as they hit various proxy servers. A cookie could be moved from A to B and both could work or A may not work anymore because their address was NATed differently. The reason I asked about the hash is that you may want to just encrypt it instead of hashing it so that you can unencrypt it and use it to search with. Or you may include the username in clear text and the hash so that it can not be changed and then used to search with. Comparing the hash to a list of hashed usernames is not really scalable.

Currently, HTTP has almost no way to verify a clients identity beyond the here, hold this and give it back method, cookies. I say almost because there is such a thing as client-side certs. I have used them enough to know they are incredibly annoying and only used in extremely rare situations, read missile launch web application. (Honestly, there are some things web applications are never a good idea for and missile launch is one of those.) I will tell you that I worked on an application that attempted to verify unique machines by looking at the MAC IDs and disk ids, both of which you can not get from a PHP application. The main question is how secure does this site have to be and is it publicly accessible?

[eluser]Adam Griffiths[/eluser]
I am building it for my CMS, which is already fairly secure and should stay that way. The last thing I want is some script kiddie with a cookie stealer to come and get access to the admin account and deface my website, or worse, my clients website.

If I code a function I will also add it to my Auth library, which would be good for the community.

[eluser]dcunited08[/eluser]
Create it but do a if(group !== admin) or whatever. Allow it to work for 'normal' users but not for admin.

[eluser]Adam Griffiths[/eluser]
That is a good point. I'll have a play around and see what I can come up with.

Thanks for the posts.

[eluser]a&w[/eluser]
This thread is a little old but I'll post anyway.

Chris Shiflett has a book "Essential PHP Security" where he gives suggestions on how to persist logins, if you must. The rough throws of it is:

that you store 3 more fields in your user database: identifier, token, and timeout.

the identifier is an ecrypted hash of the username and salt:

Code:

$identifier = md5( $salt . md5 ($username . $salt) );

the token

Code:

$token = md5 uniqid(rand(), true) );

store the cookie with a value of $identifier:$token

The timeout stored in database should not exceed 7 days.

Every time the user logs in regenerate the token/identifier in the database and cookie so that particular cookie can only be used the one time.