This repository was archived by the owner on Jun 16, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 9
Remember Me functionallity
Ben Scholzen edited this page May 4, 2013
·
2 revisions
- Users must be able to automatically re-login after session expired.
- User must be able to store remember information on multiple machines independently.
- Attackers must not be able to abuse functionallity to identify with information given from either the database or the application.
- Remember information must expire after a defined time.
- Attackers must not be able to use out-dated remember information to identify.
- Remember information must not be weaker than password hashing.
When the user selects "Remember Me" on login, the following steps must be taken:
- Create a unique token (e.g. uniqid()) and an expiry timestamp.
- Create a hash (with the same hashing method used for the password) from a concatinated string containing username, a separator and the unique token.
- Store username and the unique token in a cookie; The cookie's expiry time should match the expiry timestamp of the token.
- Store the username/token/expiry timestamp in a 1:n table connected with the user table.
When the application detecs that a user is not logged in, it should check for the existence of those two values. If they do not exist, simply ignore it. Otherwise verify that the resulting hash of those values matches the one stored in the database. If it does, invalidate the hash in the database and generate a new one. On logout, the connected hash should be invalidated as well.
Additionally, the user should have the option to invalidate all remember hashes connected to his account.