SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Addict svcghost's Avatar
    Join Date
    Oct 2010
    Posts
    288
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Always logged on Cookie

    Hey guys,

    I'd like to know if the following system is insecure please:

    A user is allowed to check the "always signed in" (24 hours) checkbox upon logging in.
    If checked, the "userkey" cookie is set to exist for 24 hours. So the user can exit out of the browser session and relaunch the browser and still be logged in. This works by my web server checking if the "userkey" cookie matches any userkey in the user database. If it does, it creates a logged in session for that user.

    Is this insecure? Because a user can create a fake userkey cookie and see if it matches that of another user's userkey, thus successfully logging in as another user?

    What would be a better way to do this?

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,863
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    As long as the userkey in the cookie is a long enough value (eg. a sha1 hash) it is no more likely to be guessed than the session id or password is.

    Where it does lessen security is if someone else has access to use the computer to visit the site where the cookie already exists.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Addict svcghost's Avatar
    Join Date
    Oct 2010
    Posts
    288
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    As long as the userkey in the cookie is a long enough value (eg. a sha1 hash) it is no more likely to be guessed than the session id or password is.

    Where it does lessen security is if someone else has access to use the computer to visit the site where the cookie already exists.
    Yeah I figured it's the same thing as guessing a password really, but harder (not taking into account network security where cookies can be sniffed). Thanks Felgall. And I see your point about access to the computer. Thanks!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •