How to securely implement the "remember me" function and implement the "remember me" Function

How to securely implement the "remember me" function and implement the "remember me" Function

1. "Remember me" is not safe

After logging on, let's take a look at cookies.

 

If you do not check "Remember Me", these terrible information will not be recorded by cookies, so that feature was originally just for the convenience of users to access again. In the figure, my email address is naked, but the password is not plain text. However, don't be too happy. Just look at the string of seemingly indestructible encrypted characters ...... Why? Wait, isn't it Base64 encoded! For Base64 encoding, this encoding can be fully decoded, which means that you can transfer any code to a website such as base64.

Not everyone regards Base64 as "encryption", although it is indeed a reasonable method to replace ASCII, but in fact, this encoding password will be converted to plain text immediately after entering the browser. You may question-how big is the problem? In any case, it is stored in its own browser. What can it do? So can hackers get it?

These Passwords Stored in cookies are not marked as HttpOnly. You can see them in the Cookie list on the right. This means that client scripts can access these cookies. Missing the HttpOnly attribute may be tricky, but the core of the problem is that passwords stored in cookies can easily be omitted through other channels.

There is another more fundamental reason why these websites are negligent at the same time, even though they are protecting the creden。 they use on their websites. When customers of the above websites check the "remember me" function and send requests to the website, when their user names and passwords are sent to their mailboxes by the website, they operate on eBay or online banking. Either the password is in plain text or can be obtained through a client script. In short, the password will always be hidden in the browser. A large number of people have the habit of password reuse (universal. I have to say that when we are dealing with threats to user creden。, we need to implement much more protection than the website itself.

 

Ii. How to securely implement the "remember me" Function

 

1. Time limit for searching for authentication cookies

The "remember me" function can be simply concluded that it controls the cookie time limit and determines how long a person can log on continuously.

ASP. NET uses a session cookie by default, or in other words, a cookie without a specific deadline, so it will be forcibly expired when the browser is closed. This is one way, and the other is to directly place a short shelf life, even if the browser continues to use this cookie, the user will be automatically logged out. Of course, you can also control such behavior on the server. You can also extend the cookie time limit for authentication if the system is actively using the increased time limit for server response.

As long as the verification cookie is valid, the specified person will be remembered. How long will the validity period be appropriate? In the above example, the default value is 2 days, but this is obviously too short for legal users. Shorter duration means less risks, but more inconvenience and longer duration, making it easier to increase potential risks for users. Let's take a closer look at this risk.

 

2. Utilization of long-term authentication status

Before being authenticated, your session cannot be hijacked. For example, the cookie of some websites will expire six months later, and it does not have the HTTP only flag, in this way, the XSS vulnerability on their website allows attackers to obtain and use user creden。 for half a year. In the same case, if the time limit is one month, they will still have some serious vulnerabilities, but the chances of these attacks are actually reduced.

On the other hand, when they expose ELMAH logs, there are still a series of major omissions, but unless someone has logged on to the website with "remember me" a week ago, and the default configuration vulnerability is triggered. Otherwise, creden will not be leaked. If you want to find a website, try it yourself. Even if you have logged on to a website, you can see a cookie with a time limit risk.

Therefore, if you want to protect your creden。 for authentication cookies, HttpOnly's security attributes are essential to a rigorous security attitude. Although all classic hijacking threats still exist, the problems on these cookies cannot be ignored.

In the final analysis, this is a trade-off. factors that need to be considered, such as the value of the data to be obtained by attackers, will have a negative impact on user convenience and website security configuration when security verification is enhanced. For example, Facebook has some very useful social user data, and users are eager to respond quickly without delay, they also invested heavily in their account security. For AFD, while holding personal identity data and financial information of users, AFD provides the security authentication service required by users. It can be seen that users are also aware of security issues. They have very different risks. These two websites should have completely different time-limit policies for identity authentication cookies.

 

3. Enhancement

The AUTH cookie may be unsolvable, and there will always be a better solution for security, but there is a price. security depends on the time, money, and convenience you are willing to pay, and someone will always tell you that you have done something wrong! Let's take a look at some possible enhancement methods about the time limit for using AUTH cookies.

For a long-term valid AUTH cookie, the problem is that they need to effectively maintain user identity authentication and face attack risks such as CSRF or clickjacking. Of course, there are still many risks that need to use long-term cookies that are not listed, but this does not affect the discussion on prevention methods. Another point is that when a private cookie provides valid authentication for the user on the server, it can re-enable another authentication session when returning. Although the initial session will expire quickly, the key is to restart the new session. It will perform another verification because the user selects "remember me" and logs on again.

One authentication method includes limiting the cookie "Remember Me" by using the user's IP address/user proxy/other notable features. This provides some protection against cookie hijacking. Of course, these changes should be made in legal use. This is not uncommon in mobile networks, especially when a website is visited with different IP addresses. Your ISP may not always provide static IP addresses. As for the user agent, there are also browser differences, such as Chrome and Firefox updates are like the next day. However, unless you deliberately select some high-quality agents, using them will be a dangerous practice.

Another programmatic means is to keep the "remember me" cookie and Identity Authentication cookie separated, and use the former to re-verify the user's identity, but there are additional restrictions. The actual situation is that the process of automatic authentication of an identity will certainly follow the security model. The mitigation result is that it will ask the user for creden。 again before automatic re-verification. This is not an innovation. You may have encountered such features during online banking remittance. Here, we say that users with authentication are at great risk because this method is easily hijacked and spoofed.

For other enhancement methods, we can reset the "remember me" cookie after it is used. This is equivalent to making it invalid on the server, and requires a unique and persistent cookie value, such as a random number between the database and the cookie. This helps to ensure that cookies are not obtained by attackers in the following ways. In this article, the author talks about some methods to mitigate such patterns. However, you need to do some extra work and make it inconvenient for normal users to some extent (for example, users cannot use it across multiple computers and "remember" their creden ).

The last thing worth mentioning is that the management principle under the same account requires us to pay attention to and is related to the "remember me" function. For example, can multiple sessions of a single user be verified simultaneously? Or do I need to disconnect the session once the user changes the password? Can the Administrator end the authentication session? There are various problems, but here we only discuss how to restore them.

 

3. When should I use the "remember me" function? (And some alternative functions)

Sometimes it is meaningless to allow an authenticated user to maintain the authentication status for a long time. For example, in the conventional usage of a bank, when you want to save time for automatic login, a browser is not logged out after you leave the house, I don't need to talk about the risks.