Welcome Guest, Not a member yet? Register   Sign In
Best aproach to store Remember Me data
#1

I am writing my own auth library (i know there are a lot of readily available free proven ones, but i wanna get some experience and just make another fast and furious aut lib☻)

And i get stuck in one dilemma... with "Remember Me" option.
As everybody knows - cookies is not the safe place to keep user's data

So i decided - to make a new random key each time user is logged in
PHP Code:
$random_hash bin2hex(random_bytes(30)); 

Store it in cookies (with user_name, and user_id, for what i will explain a little bit latter☻) 
After this i add a new line into the database with 
PHP Code:
     public function insert_user_session($user_name,$user_id,$session_hash)
 
       {
 
       $data = array(
 
       'users_sessions_user_id' => $user_id,
 
       'user_sessions_user_name' => $user_name,
 
       'session_hash'=> $session_hash,
 
       );        
        $this
->db->insert(SELF::$this_table_name$data);
 
       return $this->db->insert_id();
 
       


As i can see it - this approach has some advantages (user can be logged on several devices simultaneously)



So it seems to work but - i got two theoretical problems.
1) It creates new lines in the databes really fast....
I tried to keep F5 pressed, and i got several hundreds new lines.
2) There is a possibility of hash collision, two users can get identical hashes - and someone can suddenly be logged as different user without any devious hacks☻
Of course i can check existing entries in the database (before inserting) and repeat this all over again until i got a truly unique value.
But it seems to me like overkill (we need at least additional query) 
So i think just compare user_id from cookeis so in case of a collision there will not be such an unusual situation and someone will not become a out of the blue a different person..

So guys can you advise me how to resolve this puzzle?
My bee to make a permanent hash that assigned for user for a long time?


Btw - i trying it on a local machine and if i am keeping a f5 button for a lengthy period of time (5 sec) i get a following error:
Message: mysqli::real_connect(): (HY000/1040): Too many connections
Does it says something about? My be my CI configuration is wrong?
It seems too easy to ddos my site ☻☻
Reply
#2

(This post was last modified: 12-18-2017, 12:05 PM by jreklund.)

I'm using Paragon Initiative approach for this: Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)
Only a selector and token are saved, not a userid. That's only available in the database.

The automatic login algorithm looks something like:
1. Separate selector from validator.
2. Grab the row in auth_tokens for the given selector. If none is found, abort.
3. Hash the validator provided by the user's cookie with SHA-256.
4. Compare the SHA-256 hash we generated with the hash stored in the database, using hash_equals().
5. If step 4 passes, associate the current session with the appropriate user ID.

Q1. Re-use the selector and only update the token. Or both if you want. You will get the ID if step 4 match.
Q2. Not possible, if you are using the right functions.
Reply
#3

I was reading the same article☻☻ -
I didn't get the whole algorithm

Am i right - that selector - is just an unique ID (and we must use selector to add a little bit secrecy about amount of users)

So my table must have such structure (bare minimum)
`id` integer(11) not null UNSIGNED AUTO_INCREMENT,
`selector` char(12),
`hashedValidator` char(64),
`userid` integer(11) not null UNSIGNED,
`expires` datetime,

how to generate selector to exclude potential hash collision?

My main question is - do i need to generate a new selector and hashedValidator, each time a user logs in and add a new entry in database.

So i mean if the same user logs in using different browsers - in cookies he will get a different cookies (that have different selector and hashedValidator)

do i need to make only one entry for user (in firefox and chrome user will get the same values in selector and hashedValidator cookies)
Reply
#4

Use cookies, but you only store a token in it to check your users table.

Read this Article on it:

Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#5

(This post was last modified: 12-19-2017, 09:00 AM by jreklund.)

Am i right - that selector - is just an unique ID (and we must use selector to add a little bit secrecy about amount of users)
selector are a unique ID that get's randomized so that your software don't suffer for a timing attack. And how many users are logged in.

Code:
CREATE TABLE `auth` (
 `id` int(11) UNSIGNED NOT NULL,
 `selector` char(12) COLLATE utf8mb4_unicode_520_ci NOT NULL,
 `token` char(128) COLLATE utf8mb4_unicode_520_ci NOT NULL,
 `userid` int(10) UNSIGNED NOT NULL,
 `expires` datetime NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci;
ALTER TABLE `auth`
 ADD PRIMARY KEY (`id`),
 ADD KEY `selector` (`selector`);

how to generate selector to exclude potential hash collision?
Use one of the functions inside the article. If they do collide (12 chars) it's not likely that a random 64 chars will collide too. So the users will be kicked out. If you are paranoid, you will need to query the database.

My main question is - do i need to generate a new selector and hashedValidator, each time a user logs in and add a new entry in database.
Each time a user clicks "Remember me" and open your site after they have closed the browser/sessions have been deleted by CI/server.
Sure there are people who never closes their browser, but I keep mine static and the server have always timed out before 14 days (cookie).

So i mean if the same user logs in using different browsers - in cookies he will get a different cookies (that have different selector and hashedValidator)
Yes, he will get a different selector and token.

do i need to make only one entry for user (in firefox and chrome user will get the same values in selector and hashedValidator cookies)
Different

Maybe you can get a few hints from my code. It's not tailored for CI, but it's using Paragonie examples.
https://github.com/jreklund/php4dvd/blob...ss.php#L73
https://github.com/jreklund/php4dvd/blob...nc.php#L19

And here are the official version from them:
https://github.com/psecio/gatekeeper/blo...mberMe.php
Reply
#6

(This post was last modified: 12-20-2017, 04:43 AM by glorsh66.)

Thanks a lot for your answer! You made it much more clearer.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB