Results 1 to 3 of 3
Thread: Always logged on Cookie
Aug 28, 2011, 18:57 #1
Always logged on Cookie
I'd like to know if the following system is insecure please:
A user is allowed to check the "always signed in" (24 hours) checkbox upon logging in.
If checked, the "userkey" cookie is set to exist for 24 hours. So the user can exit out of the browser session and relaunch the browser and still be logged in. This works by my web server checking if the "userkey" cookie matches any userkey in the user database. If it does, it creates a logged in session for that user.
Is this insecure? Because a user can create a fake userkey cookie and see if it matches that of another user's userkey, thus successfully logging in as another user?
What would be a better way to do this?
Aug 28, 2011, 19:15 #2
- Join Date
- Sep 2005
- Sydney, NSW, Australia
- 24 Post(s)
- 1 Thread(s)
As long as the userkey in the cookie is a long enough value (eg. a sha1 hash) it is no more likely to be guessed than the session id or password is.
Where it does lessen security is if someone else has access to use the computer to visit the site where the cookie already exists.
Aug 28, 2011, 20:14 #3