8

In most cases I like using cookies to remember returning users to my websites.

In my early/foolish days, I would store a UserID (auto-increment integer) in a cookie and if the user returned I would use that cookie value to log them in automatically. This was a bad idea because someone could easily edit the cookie to use a different integer and log in as someone else.

Is it ok to store a UserID in this same manner if the UserID is a GUID?

What are the best practices for storing "remember me" cookies?

JasonBirch
  • 4,143
  • 3
  • 26
  • 30
jessegavin
  • 2,158
  • 1
  • 25
  • 27
  • I feel like this is an appropriate (language-agnostic) webmaster type question. If people feel like it is more of a StackOverflow question, I will be obliged to delete it or something. – jessegavin Jul 09 '10 at 19:31
  • I believe this is really a Stack Overflow scenario, because even if it's agnostic, there's so many variables involved in answering the question, and because it's related to security, it's most likely best for SF (plus, there's no rule that says a webmaster has to be a programmer) – Mark Henderson Jul 11 '10 at 04:11
  • I personally feel like this is a legitimate question for this site., even though it is pretty much "programming related". However, I also placed a question that was "programming related" in the webmaster sense, and it got closed for being off-topic (http://webmasters.stackexchange.com/questions/527/why-should-i-develop-my-applications-using-the-mvc-design-pattern-closed).

    I'm not sure which way it should go, but consistency is required.

     – Mark Hatton Jul 12 '10 at 11:09

2 Answers2

3

You should consider using sessions to handle this sort of scenario.

Sessions generally work by generating a unique GUID for the user's authentication and saving it in a cookie on the user's local machine or passing it around, from page to page, through the URL.

This session GUID points to a file or database entry on the server that can then be read and written to by your source code, by associating the GUID in the user's cookie/URL with the GUID of the file or database entry that holds your data.

It's generally safe to put more sensitive data (such as the user ID) in sessions as nothing is visible to the end user except the session GUID.

Most web-based languages will have some sort of session management built in.

Nat Ryall
  • 1,364
  • 3
  • 14
  • 17
  • The context of my question was around the idea of a "remember me next time I visit your site" feature. If I used session variables to authenticate, it would only last for the current browsing session. – jessegavin Jul 11 '10 at 00:44
1

Save two cookies:

  • UserId: contains the user id
  • Password: contains the SHA1 of the user's password

Very easy and secure. Remember the HttpOnly attribute.

Andreas Bonini
  • 2,585
  • 24
  • 23
  • 1
    Hum, a hash of the password in a cookie? That is not secure because someone can use a dictionary attack. –  Jul 10 '10 at 03:11
  • 1
    Not if he uses a salt ;)... – Wookai Jul 10 '10 at 14:35
  • 1
    I would still feel very dirty if I stored a password anywhere but the database as a hash of some sort. How about a random session identifier plus the User ID? The session identifier changes when the session expires or the user logs out. Plus, you can then log the user out at the back-end by destroying their session identifier in the database. You can't very well force someone to log out by destroying their password. – Mark Henderson Jul 11 '10 at 04:13