What's the current thinking about those "remember me" checkboxes on login forms that basically allow users to return to the site and automatically log in?
I wonder how useful they are compared to just letting the browser save the login information and pre-fill the login form on return. Do they still add needed functionality that outweighs any reduction in security by offering the feature? So, the question is about security. Say the application is mostly non-SSL, but the login form is an SSL post. So the login credentials are never sent in plain text. But the cookies are returned non-SSL. Since some pages are non-SSL then the session cookie is sent in plain text and could thus be hijacked. I use session cookies so they do go away when the browser is closed or the "logout" link is selected. On the other hand, the "remember me" cookie persists for some number of days -- and provides password-less login. So, if this cookie is hijacked then an attacker can gain access for quite some time. On suggested solution is to change the cookie's value each time it's used to login. This is to limit the usefulness of a hijacked cookie. Of course, there's the window of time between stealing the cookie and the real user logging in again where the attacker has access. The page linked below extends that process to include a "series" number so that if a cookie is used out of sequence it's assumed there's been a stolen cookie and the application then sends a big fat warning to the user and destroys all "remember me" tokens for that series. Of course, by that time the damage may already be done. http://jaspan.com/improved_persistent_login_cookie_best_practice I'm somewhat against big fat warnings since I'm not so sure what the user can do with them, anyway. Perhaps the best solution it to make the logged in part of the site all SSL so that cookies are never on the wire unencrypted. Or maybe use two cookies to manage the "remember me" feature -- one non-SSL that flags that a "remember me" cookie may be available and when detected redirect to SSL to read that cookie and preform the auto login. But, then I'm back to wondering if the feature is worth all that trouble. -- Bill Moseley [EMAIL PROTECTED] _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ Dev site: http://dev.catalyst.perl.org/
