browser 'Remember me'


How do i allow a returning user to log in automatically to my web app?
I would also like to be able to disable the function from the server so next time they login it requires a password.

Im assuming its to do with a cookie, but i don’t want to be storing passwords in there and i would like to ensure the login is secure
so whats the best way t o do this?

I encrypt the cookie text before storing it.

Don’t store the username or password in the cookie.
Set a key for the user that’s stored in the database and cookie for that user account.

And yes, the key should be hashed in the cookie.

Then to disable the feature, simple remove all stored keys in the database effectively forcing all users to log in again.

Yes, that’s a far better method.

You should also set an expiery date on the cookie that isn’t too long.
Remember that a “Remember me” feature is in itself a security lowering feature. Only implement it if you really need to and make sure you use SSL(https) for your app :slight_smile:

in my web starter kit I create on each successful login an UUID. This UUID is stored in cookie for next automatic login.
The cookie has an expiration date and when you login on another computer, the old UUID turns invalid as a new one is created.

What do you think?

well, i’m playing around with this. i like the idea of storing the token in the cookie and using that as a key on a table to allow that user from that IP.

mostly this is intranet based and i’m checking the ip address and username to see if they are allowed to connect. if they have the token then i can pass them through, and i can have a timer that weeds out tokens after a period of time. if they login from the same pc then i will reset the last access time so that its only if they don’t return for a day or two i remove the auto logon

Thanks for the ideas guys

Remember to generate a new key for every successful auto login. They should only be used once :slight_smile:

Another thing that is rather handy is to note in your access logs the method of login: username/password, RSA Key, remember me token… That way when a user claims not to have accessed the system at a certain time you can check to see if the user was using the remember me function and left their workstation open to everyone.

log is always good.

It may be worth to have a table of those keys, so you can later check them and keep status.
Like having several tokens for several PCs.
And a record with last used IP and time stamps for creation/last use.

I have a general purpose write up here:

The basics are already covered in this thread: use ssl and tokens.

That all seems quite sensible!