Re: [cgiapp] Safe way to remember user login?
Mark Fuller wrote: On Tue, Jan 13, 2009 at 5:41 PM, Lyle webmas...@cosmicperl.com wrote: People wrote: (various comments) I think you're right, I shouldn't worry and just let the browser handle it. I might make it remember the username by default for convenience if they choose to enter their password each time. I don't understand the remember me thing. If you use a cookie with a session key, and maintain on the server side that the user wants to be remembered, why even display the login page to them? Just treat them as already logged in, and let them into your site? That's what's going to happen anyway if you fill in the userID and password for them. It seems to me like what's really happening here is someone wanting to not be logged off for 2 weeks. Making them go through the login page with their credentials supplied for them, that's just making it harder to remain logged in for 2 weeks. (?) Maybe I don't get it. Doh! That makes sense :) Like ebays remember more for a day. I could have a remember me check box, when checked have javascript add a drop down box where they can select day, week, month, etc. Then just leave it in the session. Runs the risk of the session ID being found, but I guess if I verify the cookie and IP address... Lyle # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####
Re: [cgiapp] Safe way to remember user login?
On Wed, Jan 14, 2009 at 3:41 AM, Lyle webmas...@cosmicperl.com wrote: Runs the risk of the session ID being found, but I guess if I verify the cookie and IP address... I think the risk of the session ID (cookie) hijacking is the same either way. So, whether they are forced to a login page as a formality (with their credentials already filled in) it would be the same thing. I don't think you can tie cookies to IP addresses. Some users may be behind firewalls, accessing the internet from clustered HTTP proxies. There might be a way to associate those users with a block of addresses. You could create a (somewhat complicated) algorithm where you give them a cookie via https. Then, every 5 minutes (or 5 days) redirect them to that HTTPS URL to check if they have that cookie, update your server-side session information to indicate it's been checked, and then redirect back to the non-HTTPS URL they were really going to, detect that they were just securely validated, and generate a new cookie/sessionID. That would be relatively transparent to the end user and invalidate hijacked cookies. The time limit could be a fixed period of time, and an inactivity time. It depends on how sensitive your site is. Once every 12 hours, or once after 1 hour of inactivity(?). I think that would be effective. I haven't done it myself. I've been thinking about it. Mark # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####
Re: [cgiapp] Safe way to remember user login?
Mark Fuller wrote: I don't understand the remember me thing. If you use a cookie with a session key, and maintain on the server side that the user wants to be remembered, why even display the login page to them? Just treat them as already logged in, and let them into your site? That's a good way to leave yourself vulnerable to CSRF attacks. If you prevent CSRF attacks in other ways (using referer, single use submission tokens, etc) then you're probably ok. Maybe I don't get it. Just tell people to get a decent browser that remembers those things for them. Then they can worry about the security of their own machine and you won't be responsible if they lose their credentials. Besides, if you were doing your passwords correctly, you wouldn't even be able to fill in the form since you wouldn't know what it is, only they would. -- Michael Peters Plus Three, LP # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####
RE: [cgiapp] Safe way to remember user login?
The way I've accomplished this is by adding something like an md5key column to the users database. When someone checks the remember me button you can generate a key based on something like, their username / password / the current date + some salt (or whatever you like). I do something a bit similar to that. The difference is that the salt is not known to the web browser. The most important part of this idea is that there is a SECRET which is known only to the server. Send the user two cookies: 1. A clear-text version of their username 2. An MD5 hashed version of their user name, salted with the SECRET (Never NEVER give them a cookie with their PASSWORD, or the SECRET.) When the server gets a request from an un-authenticated user who has these cookies, try re-hashing the clear-text username with the SECRET. If it matches the hashed version in the browser, log the user in. As far as relying on the browser to remember UID/PW: Sometimes that's OK, and sometimes that's annoying. There are many sites on which I prefer that I don't have to log in every time I go there. For example, Gmail. Jesse Jesse Erlbaum The Erlbaum Group, LLC 817 Broadway, 10th floor New York, NY 10003 212-684-6161 (office) 917-647-3059 (mobile) 212-684-6226 (fax) je...@erlbaum.net # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####
Re: [cgiapp] Safe way to remember user login?
Lyle wrote: I know a lot of sites have a check box for remember me or what not. But I'm trying to figure out a safe way to do this. For me, the safest way to do it is to let the browser remember. All the major browsers know how to remember usernames and passwords now a days, so why duplicate that feature. Saving the username and password in cookies wouldn't be secure, so I guess some kind of cookie ID. Storing an encrypted username and pw would be ok. But then once you display the login form you'd be writing out the password into the input type=password value=, which isn't secure either as someone could view source and grab it. You're right that if someone checked remember me on a public computer then someone else could come by later and recover the username and password of the last person to do that. But that's the risk that happens when people tell public computers to remember their private information. -- Michael Peters Plus Three, LP # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####
Re: [cgiapp] Safe way to remember user login?
The way I've accomplished this is by adding something like an md5key column to the users database. When someone checks the remember me button you can generate a key based on something like, their username / password / the current date + some salt (or whatever you like). Then store that key in the database table and pass a copy back to the user as a cookie with a expiration of 1 week (or however long you'd like). Now, of course if someone gets a hold of that cookie information they will be able to log in. So for a little added security you might want to setup a second field in the user database beside the md5key field that contains a valid until date. That way, when you check the cookie md5key vs the database md5key, you check first that they match (if not you have a problem right off the bat). If they do match and the current date is not passed the md5key expiry date then you let the person into the system, otherwise, kick them back to the login screen. --- Steve Comrie Lyle wrote: Hi All, I know a lot of sites have a check box for remember me or what not. But I'm trying to figure out a safe way to do this. Saving the username and password in cookies wouldn't be secure, so I guess some kind of cookie ID. But then once you display the login form you'd be writing out the password into the input type=password value=, which isn't secure either as someone could view source and grab it. I'm guessing this kind of thing has come up for a lot of people on this list, care to share a solution? Lyle # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## #### # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####
Re: [cgiapp] Safe way to remember user login?
On Tue, Jan 13, 2009 at 5:41 PM, Lyle webmas...@cosmicperl.com wrote: People wrote: (various comments) I think you're right, I shouldn't worry and just let the browser handle it. I might make it remember the username by default for convenience if they choose to enter their password each time. I don't understand the remember me thing. If you use a cookie with a session key, and maintain on the server side that the user wants to be remembered, why even display the login page to them? Just treat them as already logged in, and let them into your site? That's what's going to happen anyway if you fill in the userID and password for them. It seems to me like what's really happening here is someone wanting to not be logged off for 2 weeks. Making them go through the login page with their credentials supplied for them, that's just making it harder to remain logged in for 2 weeks. (?) Maybe I don't get it. Mark # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####