“Keep Me Logged In” - the best approach

Question

My web application uses sessions to store information about the user once they\'ve logged in, and to maintain that information as they travel from page to page within the ap

Answer 1

I don't understand the concept of storing encrypted stuff in a cookie when it is the encrypted version of it that you need to do your hacking. If I'm missing something, please comment.

I am thinking about taking this approach to 'Remember Me'. If you can see any issues, please comment.

1. Create a table to store "Remember Me" data in - separate to the user table so that I can log in from multiple devices.

2. On successful login (with Remember Me ticked):

   a) Generate a unique random string to be used as the UserID on this machine: bigUserID

   b) Generate a unique random string: bigKey

   c) Store a cookie: bigUserID:bigKey

   d) In the "Remember Me" table, add a record with: UserID, IP Address, bigUserID, bigKey

3. If trying to access something that requires login:

   a) Check for the cookie and search for bigUserID & bigKey with a matching IP address

   b) If you find it, Log the person in but set a flag in the user table "soft login" so that for any dangerous operations, you can prompt for a full login.

4. On logout, Mark all the "Remember Me" records for that user as expired.

The only vulnerabilities that I can see is;

• you could get hold of someone's laptop and spoof their IP address with the cookie.
• you could spoof a different IP address each time and guess the whole thing - but with two big string to match, that would be...doing a similar calculation to above...I have no idea...huge odds?