• 0

"Remember Me" System Spoofing


Question

How secure are "Remember Me" techniques? Every system I've seen involves a cookie on the user's end which could be easily spoofed (I think). If the bad guy of this scenario gained access to the good guy's machine, he could e-mail himself the cookie data for that site. Once back at home, he could set his own cookies to those values, and then prance right through the site's security, right?

Now, I am assuming there aren't more advanced methods than what I've seen to stop this sort of thing. Is there a better way?

Link to comment
Share on other sites

3 answers to this question

Recommended Posts

  • 0

The basics of remember me involve the server sending some sort of token to the client that the client can then send back some time in the future to prove it is authenticated. The problem is that any data that comes from the client machine can be created, modified, copied by the user. Cookies are the easiest way to do this token exchanging, and there's a couple of techniques that could make it more secure, but nothing is completely bullet proof.

You could check on the server-side that the IP address making the request using session info matches some server-stored value of the IP address that initialised the session in the first place. For example, if 127.0.0.1 logs in and is given a session id of "123". To prevent 127.0.0.2 from saying "my session ID is 123, gimme all your info", you could run a check on the server to make sure that only the IP 127.0.0.1 can access any data associated with session 123. This isn't bullet proof though, because getting a user's IP address is unreliable - it can be faked and there are legitimate reasons for an IP to change. You could also do a similar check on the user's user-agent string - but that's even easier to fake than an IP address, and there also legitimate reasons for that to change too. All these checks will do is slow down a determined hacker, it won't stop them.

Transferring cookies exclusively over HTTPS will help reduce the risk of someone stealing your cookies because it prevents people being able to sniff the cookie 'on the wire'. Physical access to the machine would still allow the cookie to be stolen though.

Setting the httponly flag in PHP's setcookie function (other languages probably have something similar) will help prevent XSS attacks from being able to steal cookie information by making them unreadable to javascript - but still isn't immune to a physical access attack.

So, in conclusion. Re-instating a user's session from user provided information isn't secure. If your system is really security sensitive then don't have a remember me system, expire sessions regularly and make the user re-enter their password when they want to perform a particularly sensitive task.

Link to comment
Share on other sites

  • 0

Session cookies are perfectly fine. Usually when the system is done correctly, the cookie will store a random generated session key and nothing more. The same key is then stored in the database with the user's details and used to match the key and the user when the user accesses the site. Additionally the key should be regenerated once a while, making left-over old cookies on other systems invalid, and also regenerated on every time the user logs in.

As long as the cookie's value is still valid, someone else could use the value to access the site, yes. But then again, if someone has access to the system, the one could do much more.

Edit. I'm too slow it seems :p

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.