svcghost — 2011-08-28T21:57:58-04:00 — #1
I'd like to know if the following system is insecure please:
A user is allowed to check the "always signed in" (24 hours) checkbox upon logging in.
If checked, the "userkey" cookie is set to exist for 24 hours. So the user can exit out of the browser session and relaunch the browser and still be logged in. This works by my web server checking if the "userkey" cookie matches any userkey in the user database. If it does, it creates a logged in session for that user.
Is this insecure? Because a user can create a fake userkey cookie and see if it matches that of another user's userkey, thus successfully logging in as another user?
What would be a better way to do this?
felgall — 2011-08-28T22:15:28-04:00 — #2
As long as the userkey in the cookie is a long enough value (eg. a sha1 hash) it is no more likely to be guessed than the session id or password is.
Where it does lessen security is if someone else has access to use the computer to visit the site where the cookie already exists.
svcghost — 2011-08-28T23:14:42-04:00 — #3
Yeah I figured it's the same thing as guessing a password really, but harder (not taking into account network security where cookies can be sniffed). Thanks Felgall. And I see your point about access to the computer. Thanks!