Reputation: 2055
Cookie based log in system
I am considering using a cookie-ip matching system to log in users automatically without them having to enter their login data if they are on a known system and their ip has not changed.
Is this policy decent or am I opening a major security hole?
Upvotes: 1
Views: 124
Answers (3)
Reputation: 4528
That's, of course, a security hole since if the user login to your website and forget to logout, anyone using this computer (with the same account on the computer) will be able to login to your website.
Note that this problem also occurs for all website, only it's usually limited to the session lifetime.
Since that's how all websites work, I don't think this is a real security hole, but it definitely encourage users to be careless about security. It's a chair/keyboard interface security hole :P
As @Ed Heal is saying, do not store password in the cookie, store a random token instead which you'll save in the DB. The login process should check if the cookie stored in DB equals the one on the cookie.
Upvotes: 1
Reputation: 59997
Ỉt can be a potential security problem in so far as some people use public machines. So make it optional. Also you need to consider that some machines use dynamic IP addressing. You proposed method will not work in this case.
But above all DO NOT store the password in the cookie.
Upvotes: 2
Reputation: 31
Just create "Logout" link, where you just before you delete their cookie, pick their e-mail and mail them link with a hash, that regenerates their cookie. So they can logout on public machines.
Sanitize cookie before processing through database.
Upvotes: 1
Related Questions
- How to create a secure login system using cookies and sessions?
- Cookies security
- Login cookies security
- Cookie security php
- php security for cookies and sessions
- Securing a login system in a particular way
- cookies system - security
- Cookies/Sessions login system
- PHP login cookies security
- Is this login system secure enough?