Geek Answers Handbook

Theft "remember me" cookie is a real threat?

I use SSL to transfer all data. HTTP is completely disabled. With the exception of malware or access to a physical machine (both of which are very difficult to prevent on the server side), I don’t see how an attacker could steal a cookie to log in.

So, is it good not to worry about stealing your login cookie?

The difficulty of correctly implementing a non-creeping login cookie, which still allows users to conduct sessions in different browsers and on different machines, is higher than the secure material.

Thus, I believe that everything is in order not to protect against copying and pasting cookies from machine to machine.

Is this a real compromise, or am I forgetting something important here.

+6
source share
2 answers

You need to make sure that the Secure flag is set in your cookie, because you can’t generally prohibit users from accessing your site through non-SSL. Otherwise, I think you should be fine.

However, I suggest taking reasonable precautions. For instance:

  • Never include data in cookies or on a wire that can be used to obtain a user password.
  • If possible, set the HttpOnly flag on files with confidential information so that any potentially unreliable JavaScript cannot steal them.
+3
source

Yes, this is a real threat .

"Remember me". A cookie puts the security of your web service out of your control, by definition. Now, in general, anyone (especially a sophisticated attacker) that can capture this cookie can log in as this user.

Let's look at an example of the real world: Google uses these cookies for its services. You can log in in a few weeks. From what I have observed, a way to mitigate attacks using cookie theft is to invalidate the cookie if they detect suspicious activity on the server side. For example, if I usually logged in from California and unexpectedly logged in from another state / country (or you have concurrent sessions from another location!), I might have logged out and had to re-authenticate. Of course, this is not perfect, but usage patterns can be used to prevent some attacks.

Also, remember that the cookie will be browser specific. For example, if a browser fingerprint was used to determine that a user had just logged in from another OS / browser / etc., this might be a good time to invalidate the cookie. Perhaps you can get some imagination and allow some freedom if the small version of the browser is updated, but check it if the version of the browser is ever downgraded.

+1
source

More articles:


All Articles