Watch your door.-Authentication mechanism is attacked (5)-Common Vulnerability of "Remember Me" feature

The first thing to declare is that this article is purely an ignorant view of a little developer without foresight and knowledge, and is intended only for reference in Web system security.

1. Brief description

When we landed on a website, there will be a "Remember Me" check box next to the login, this login user name and password is a state, this remember how I realized it? In fact, the use of cookies, when we choose "Remember Me", the browser will save the user name in the browser cookie, the next time we log on, will automatically go to find cookies.
Paste legend: This loophole in a very large number of big internet companies have appeared. Do not experience the painful lesson, you when the various shopping sites in the payment code is the product manager to shoot out of the head?

2. Common "Remember me" loophole

The vulnerability of the so-called "Remember Me" feature is, in essence, the vulnerability of a cookie; some common cookie vulnerabilities:
A: Sensitive information is not strongly encrypted
A lot of sensitive information, such as mailboxes, passwords, and so on, not strong encryption, such as MD5 or other methods, many times, we for convenience, direct use of some code, such as Base64 or ASCII, it seems that the general user can not directly modify the sensitive words, but for the attackers, is almost transparent.
B: not tagged as HttpOnly attribute
The password stored in the cookie is not marked as a HttpOnly attribute. Missing the HttpOnly attribute may be sloppy, but the core of the problem is that passwords stored in cookies can be easily overlooked by other means.
Although the addition of the HttpOnly attribute does not necessarily make the information much safer, it is also valuable for attackers to take a bit more effort.
Effective time of C:cookie
Some websites ' cookies expire in 6 months, while they do not have HTTP only tags, so that their web site's XSS vulnerability could provide an attacker with half a year to obtain and use the user's credentials. In the same situation, if the time limit is 1 months, they will still have some serious loopholes, but the chances of these attacks have actually been cut.
So say everything about authentication cookies if you want to protect the user credentials, the security attributes of HttpOnly and strict security attitude must be. While all the classic hijacking threats still exist, the problem of addressing these cookies must not be overlooked.

3, do not "Remember me" function?

The main question to consider at this time is: is my information valuable, or is my time worth it? This is the direction that the user considers the problem, but not necessarily the direction that the system owner considers!!
Therefore, as a normal user, do not see remember me this refresher lesson, go to casually tick down.
Some do not need to remember my industry, such as banks, I do not want people to know my account and password, fortunately, the bank also think so.

Watch your door.-Authentication mechanism is attacked (5)-Common Vulnerability of "Remember Me" feature