How to remember users with cookies in a secure way?

Question

So lets say i have a member base website and when the user signs in i put put a cookie (or a session) with a key value pair remembering who the user is. But its just come to my attention which information i should use to remember the user so that its secure. I cant use username=username or user_id = user_id (because my user_id will be 1), because people then can just simply guess what the cookie values are and logged in as that user. So what key/value pair should i use to be able to identify users and still connect their information to the database securely? Thanks.

Answer 1

I'm definitely not an expert in security, but I have recently implemented user management tool and I have done the following.

• Don't use encryption, its slow and most of the time for simple implementation its just a waste of time.

Here is what you do need to store on the server - in order to authenticate each request.

• UserId (obvious)
• CookieHash (made out of userId, some secret private key and crypto randomly generated number)
• LastLogin
• SessionRenewed (useful for when to cancel someone's session eg. renew cookieHash every 10 min, otherwise log out user)
• LastIP

What I store in cookie is following

• UserId
• CookieHash

How to use this basic security

Simply when user logs in you check username/password etc. (just the usual) If everything is fine then log in user and generate new cookiehash and fill those values given above.

Every request check UserId against its hash. If someone gave UserId = 4 but hash didnt match then automatically drop a session and forward user to login screen. Possible log is good to see how often people try to play around with your hard work.

I hope this helps.

Answer 2

Ben, there are a few different types of attacks you need to be concerned with. For example simply encrypting the identifier with a private key doesn't prevent someone who can intercept the encrypted value from simply replaying it to your server (and appear to be the user). Some common security risks are detailed here (and in associated links at bottom of this page):

https://www.owasp.org/index.php/Session_hijacking_attack

Session management can be quite complex and depending on the level of security you require, it is not something you want to tackle yourself, because likely your development environment / framework already has a solution that has been vetted moreso than a homebrew solution. Here is a link detailing some things to consider, unfortunately this topic has more to it than a simple Stack Overflow post:

https://www.owasp.org/index.php/Session_Management

Answer 3

If you dont prefer encryption for whatever reason, then a simpler solution could be to use a GUID to identify the user. This way, a hacker would have to launch a denial of service kind-of attack on your application to be able to run through even a very small fraction of the GUIDs.

If you want to do this properly, then you should have a look at http://jaspan.com/improved_persistent_login_cookie_best_practice also.

Answer 4

You can just encrypt the user id with a private encryption key that you keep on the server. There are a few things to watch out for with this approach:

• Every call to the server will require you to decrypt the cookie to get the id of the user. This will add overhead to each request.
• If the key is ever compromised, you will be forced to abandon the current name for the cookie you use and use another encryption key when assigning to the new cookie name; this will cause the user to have to re-login, of course.

While I don't think that these are major hurdles, they might be to you, and you would have to evaluate the impact on your site for yourself.