Strategies for "Remember Me" Username/Password

I wish to add a "Remember Me" check-box to my logon screen. I will be using PHP and Ajax, however, the questions pertain to other technologies as well. I've read a little about storing user credentials client side and using hashing and salt, but don't know if that is the way I wish to do it.

Instead, I am thinking of something like the following. Make sense? Any concerns?

Thanks

Why don't you try with cookies. You can use a code similar to the above and use cookies. Cookies will be saved in clients browser. You can store variables values in those cookies. When user access, you read those values from the cookies and thats it. Unless the user delete cookies and temp files, this should work fine.

Sessions are basically cookies with a twist.

The advantous of a cookie is they will exist until the client deletes them, while sessions might have their server side component deleted.

Cookies won't work, however, since a user would only need to set a cookie to someone else's username, and they would bypass all security. With a session, they would need to guess the random session ID.

I have seen a lot of libraries to encrypt cookie data. That would fix that security issue. take a look at phpclasses dot org

Thanks jaimitoc30, I will take a look.

But do you think about my approach without storing passwords client side?

I believe it is highly unsecured as the password it not encrypted. When echoing the password field, for it to work, the value of it should be the decrypted. Now, if you go right click, view source, you will see the password in plain text, example:

<input name="txtPassword" type="password"
maxlength="128" id="txtPassword" value="123" />

This approach is very difficult, because the whole idea is to have some data where you can recognize a machine and match it up with a boolean variable and with the database encrypted password. The problem is what data can you use. Since you are using server side script, the only thing that may work is using javascript to get some client info where you can match and remember the machine. You can use the approach you are referring to, but, how will you recognize which machine trying to access? You will need to read how sessions work in PHP, cause I am pretty use it will use cookies. It will store a session id. When the machine tries to access the site, it will look for the session id stored in the cookie and match it with the machine and the credentials and will automatically open the session. What I would do in your case is reading all the details on PHP session to better understand how it works. Also, be careful when echoing password form field. I have seen some tips and tricks on echoing that, or you can use a hidden field for password, so you will not reveal the password when echoing the field.

if memory serves sessions use cookies unless otherwise specified that you don't want to use them and then you'll need to be passing the session id around in every url and form post on your site to get around from using them.

Also doing it the way you are looking at here isn't as its already been pointed out the greatest of approaches from the security and consistency stand point.

You can use cookies as just don't put the userid/password in the cookie. instead put a session id or other unique id that can be traced back to a database table containing the needed information. This allows you to also add other items of criteria also, you can store the IP address or anything else you want to use to help identify the person. then you can use a cron job to clean out that table every x number of days and once a user shows up on your site with a cookie that has had it's server side record deleted then you remove the cookie and force the user to log in again. you can even send them an email everytime they log into your site from a different computer to let them know (although i tried this and it gets annoying after a little while).

This site and a very large portion of sites use cookies, yes they aren't ideal but they do the trick.

The session cookie is destroyed when you close your browser, so none of this technique will work. Also, don't use ajax.

NEVER store user credentials client-side.

A "remember me" cookie should contain a salted one-way hash of three kinds of user information:
1) User computer identity
2) User-available user data
3) User-unavailable user data

If the user has the "remember me" box checked when they log in, create a hash of that data, for instance:
1) User-agent and IP address
2) Username (NOT PASSWORD NEVER PASSWORD)
3) User creation timestamp, internal userID, etc.

Hash that with a salt, then set it as the "remember" cookie using setcookie. Also set a "remember_user" cookie with their username.

Then, have your login page check for the "remember" cookie. If it's set, take:
#1 from the current $_SERVER variable
#2 from their "remember_user" cookie
#3 from your database using #2

Then hash it and compare it to the "remember" cookie, logging them in as that user if the check is successful.

This way, an attacker would have to know the user's username, user-agent, IP address, AND creation timestamp, as well as your hashing methods and salt. By combining the three types of data (immediate, user-provided, server-provided) you get as close as possible to ensuring that the user is who they say they are.

Winner!

LOL yes, he is.

Thanks Dan, Great post!

I guess I didn't realize (or forgot) that session cookies were destroyed when closing the browser. A couple of questions...

1. Why not use AJAX?


2. I am using phpass for saving and verifying passwords. Can it be used for this scope as well?

3. When displaying the form when the "remember me" cookie is set, the user should have some indication that the password is in the input field (i.e. bullet marks, but obviously not the real password). I wish to have the password input display a shaded "Password", and when the user focuses on it, it changes to an empty field. To do so, I am using a password input and text input, and using JavaScript to display the appropriate one. Any suggestions on how to show the bullets when the "remember me" cookie is set? Feel free to tell me this question belongs in the JavaScript forum.

Thank you

1) If you're going to reload the whole page anyway, why use ajax? Ajax is for doing asynchronous data requests which do not reload the page.

If you post a form, you send the data to the server, and the server sends back the new page.

If you use ajax, you post the data to the server, parse the response, request a new page from the server, and the server sends back the new page.

It's 2 extra steps.


2) You can use PHPass to generate these hashed cookies, yes. Don't use the password in that hash though.

3) Never display a login form when the user has the "remember me" cookie. Log them in. That's it. Don't show them a login form so they have to click a button, just log them in, that's the point of it. There's no scenario where a user has a valid "remember" cookie and sees a login screen. I don't know why you keep bringing this scenario up. Does it happen anywhere else that you can point me to? It doesn't happen here on devshed.

1. Upon reloading the page, it will display the next appropriate page. Using Ajax prevents reloads when username/password doesn't validate. Yes, it is a little more work, but I feel it is a better user experience. Unless you can think of a security reason not to do so, I will use Ajax.

2. Thanks for the PHPass confirmation.

3. I don't know why I keep on bring this scenario up. I have seen it before, but I agree it makes no sense. I will do as you suggest.

Thanks

I am pretty sure you have seen this scenario when you tell the browser to remember the password. That is something done by the browser. Usually in server side scripts, the correct way is as mentioned above.

As long as all your pages validate the session and your login check sets the session cookie, #1 should be fine.