• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How Safe is Codeigniter Sessions

#11
[eluser]WanWizard[/eluser]
[quote author="keevitaja" date="1348609126"]how is "remember me" done in codeigniter forums and other sites? with the same logic as i was describing or something more secure?[/quote]
Most sites implement it as you described earlier. With a hash in the cookie that links back to the user record, which is used to do a 'forced login' of that user.

In this context this is an interesting read: http://jaspan.com/improved_persistent_lo...t_practice. Here's an implementation of that: https://github.com/gbirke/rememberme

It is also good practice to (still) ask for a password if a user is authenticated using a remember_me cookie and he wants to change something important. This is the way for example Amazon or Linkedin implement it.

#12
[eluser]boltsabre[/eluser]
I've seen (I think) where on amazon they have a "half remember me" thingie... you go back to amazon, and it says "hello boltsabre" in the login box, I can do some certain restricted actions, but as soon as I want to view my personal account or anything that involves sensitive data I must then perform a full login.

It adds a bit of a personal touch to the website, but that's about it, the user must still login when they want to do something. I like it, best of both worlds!!!

#13
[eluser]keevitaja[/eluser]
[quote author="WanWizard" date="1348639137"][quote author="keevitaja" date="1348609126"]how is "remember me" done in codeigniter forums and other sites? with the same logic as i was describing or something more secure?[/quote]
Most sites implement it as you described earlier. With a hash in the cookie that links back to the user record, which is used to do a 'forced login' of that user.

In this context this is an interesting read: http://jaspan.com/improved_persistent_lo...t_practice. Here's an implementation of that: https://github.com/gbirke/rememberme

It is also good practice to (still) ask for a password if a user is authenticated using a remember_me cookie and he wants to change something important. This is the way for example Amazon or Linkedin implement it.[/quote]

i don't get this token series thing. there are 2 cookies for "remember me"?

what if each time when user logges in (with "remember me" or not) all previous cookies and database entries are deleted and new ones issued? also at any given time user can be logged in from a single computer! wouldn't that make this approach obsolete?

#14
[eluser]WanWizard[/eluser]
No, there is only one cookie.

Server side, you have two values. One is the remember_me hash, that should be generated when a user logs in, is stored in the remember_me cookie, and is used to lookup the user and do an automatic login whenever the cookie is presented. It should be reset when a user logs out, which will invalidate any remember_me cookie issued before.

The second thing that is suggested here is to store a second hash (the token), which is rotated on a regular basis, and is stored with the user as well, but a history is kept (for example the last 31 days worth of tokens). The last issued token is also stored in the remember_me cookie.

Now when a user presents itself, you can have the following situations:
* no session cookie, no remember_me cookie: public access, the user needs to login
* session cookie: login retrieved from the session, user is logged in
* remember_me cookie, invalid hash: public access, the user needs to login (I would issue a warning here)
* remember_me cookie, valid hash, last issued token: login retrieved from the hash, user is logged in
* remember_me cookie, valid hash, other issued token: login retrieved from the hash, user is logged in, warn the user the account was hacked!
* remember_me cookie, valid hash, invalid token: public access, the user needs to login (I would issue a warning here too)

The idea behind the token store is that you can detect that the remember_me cookie was stolen and used by someone else because the login by the hacker has caused the token to rotate, so your original cookie has a valid token, but not the last one issued.

This warning system depends on your token rotation interval and how long you store the tokens.

If you don't store multiple tokens but only rotate, you effectively have the last situation. And you have to decide what to do in that case: assume it's a valid login because the hash matches, or assume it's a brute force hacking attempt of some sort (with a random token) and deny access.

#15
[eluser]keevitaja[/eluser]
[quote author="WanWizard" date="1349160958"]
The idea behind the token store is that you can detect that the remember_me cookie was stolen and used by someone else because the login by the hacker has caused the token to rotate, so your original cookie has a valid token, but not the last one issued.
[/quote]

will this work, if "remember me" can be set from more than one computer?

and which one is better approach:

- store users id in the cookie
- store users username in the cookie
- store the id from the "remember me" table

and ofcause hash and token as well.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.