[Catalyst] Remember Me?

Bill Moseley moseley at hank.org
Tue Dec 11 06:43:07 GMT 2007 

What's the current thinking about those "remember me" checkboxes on
login forms that basically allow users to return to the site and
automatically log in?

I wonder how useful they are compared to just letting the browser save
the login information and pre-fill the login form on return.  Do they
still add needed functionality that outweighs any reduction in
security by offering the feature?

So, the question is about security.  Say the application is mostly
non-SSL, but the login form is an SSL post.  So the login credentials
are never sent in plain text.  But the cookies are returned non-SSL.

Since some pages are non-SSL then the session cookie is sent in plain
text and could thus be hijacked.  I use session cookies so they do go
away when the browser is closed or the "logout" link is selected.

On the other hand, the "remember me" cookie persists for some number
of days -- and provides password-less login.  So, if this cookie is
hijacked then an attacker can gain access for quite some time.

On suggested solution is to change the cookie's value each time it's
used to login.  This is to limit the usefulness of a hijacked cookie.
Of course, there's the window of time between stealing the cookie and
the real user logging in again where the attacker has access.

The page linked below extends that process to include a "series"
number so that if a cookie is used out of sequence it's assumed there's
been a stolen cookie and the application then sends a big fat warning
to the user and destroys all "remember me" tokens for that series.
Of course, by that time the damage may already be done.

http://jaspan.com/improved_persistent_login_cookie_best_practice

I'm somewhat against big fat warnings since I'm not so sure what the
user can do with them, anyway.

Perhaps the best solution it to make the logged in part of the site
all SSL so that cookies are never on the wire unencrypted.  Or maybe
use two cookies to manage the "remember me" feature -- one non-SSL
that flags that a "remember me" cookie may be available and when
detected redirect to SSL to read that cookie and preform the auto
login.

But, then I'm back to wondering if the feature is worth all that
trouble.




-- 
Bill Moseley
moseley at hank.org

More information about the Catalyst mailing list