Safe "Remember me" in Webapplication

Question

I'm new to webdev in ASP.net.

My Problem is how to ensure a safe "Remember me" functionality. At the moment i'm serializing an object to a cookie to authenticate the user in future.

But now my thought was, if someone copies my cookie he will be able to login with the hacked person's account. Is there a more safe version of remembering the login of someone between different sessions?

Best regards

Answer 1

A "remember me" cookie will typically contain a long lived session key. You can make it harder to use a stolen cookie by storing extra information about the computer environment where the cookie was originally created and check this information before you accept the cookie. This is called "device fingerprinting". It can be quite precise, but its not very easy to do and not 100% secure.

The ip-number can be a part of a device fingerprint, but ip-numbers on mobile devices changes very often so that would reduce the value of the cookie quite considerably. You may check http header fields like "User-Agent", "Accept", "Accept-Language" etc. These fields will usually be different on two different browsers. You can use javascript and check the os version, the java version etc. etc.

Storing a device fingerprint on the server along with the session key will make the remember-me-cookie a bit stronger. However, it is still not very secure. An attacker that steals the cookie will probably be able to also collect all this information.

PS: Also remember that the user should be able to de-activate the remember-me-cookie if he knows that the cookie is lost, i.e. if his computer is stolen.

Answer 2

You could store some extra information in the cookie like client IP address.