Page 2 of 2

Re: Remember Me

Posted: Sat Oct 31, 2009 10:11 am
by kaisellgren
No password / username storing in cookies. But what if it's encrypted? No.

What you need is a strong session identifier. For instance, if your session identifier is pure random and is 256-bytes long, you have ~3*10^616 possibilities there. If you enabled TLS, your cookies are flagged as "secure" and are HTTP-only, then keeping the identifier alive for a year is not such a problem after all. In addition, tie the IP loosely to the session.

XSS? Doesn't bite if the user keeps himself up-to-date (HTTP-only in latest browsers).
MITM/Eavesdropping? Doesn't bite.
Session forging? Doesn't bite.

Even if someone gets in, does her IP differ? Likely -> doesn't get in.