Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I am currently working on a pet project website and I want to implement the \"re

ID: 660220 • Letter: I

Question

I am currently working on a pet project website and I want to implement the "remember me" feature for logins and wanted to know if my procedure is secure. The authentication process basically goes something like this:

- If a user want to be remembered and logs in successfully alongside his session cookie he gets a long-lasting remember-me cookie.
- The cookie contains some random data(a UUID) and the user's id.
- The UUID and a salted hash of the user's id get stored in a database.
- When the user has to be reauthenticated from such a cookie, the user id from the cookie is checked against the hash from the database corresponding to that random data.
- If they match, the user is logged in, the current id/hash pair is deleted from the database and the user gets a new one to give potential cookie thieves a narrower window. to act
- Id/hash pairs older than 3 weeks get expired as well to further prevent cookie theft.

I would like some review of my method. Is this secure? If so, could it be implemented in any other, perhaps simpler, manner?

Explanation / Answer

You're overcomplicating the solution, and not really gaining much out of it. Others have gone over the flaws with your implementation, but I'll outline a better approach.

When a user chooses to have their authentication remembered across browser sessions, use a CSPRNG to generate a random 128-bit string. Send them this string, then hash it (SHA-2/256 is fine), and store the hash alongside the user record. When the user revisits your site, hash the token they've provided and look up the corresponding user record with that token. When a user explicitly logs out, delete the cookie from the browser and delete the hash of the token from the database.

I'd probably reissue tokens every time a user authenticated with one (e.g., they should be valid for one use only). And store the expiry date alongside the hashed token to ensure its maximum lifespan server-side.

Related Questions

I am currently in a Modern Systems Controls Class, a Vibration Analysis class, a
Question #1884691
I am currently in a beginners Java Programming course and am having trouble with
Question #3659739
I am currently in a graduate program for operations science management, currentl
Question #2928892
I am currently in a graduate program for operations science management, currentl
Question #3332482
I am currently in the final year of my graduation in computer science course. I
Question #649491
I am currently investigating different alternatives for building a mobile instan
Question #658630
I am currently learning Newtons Second Law in my physics class. The question tha
Question #1792207
I am currently learning functional programming using Underscore.js. What I want
Question #647218

Navigate

Previous
I am currently working on a numerical processing system that will be deployed in
Next
I am currently working on a program that is working with queues and simulates a

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.