I am trying to ascertain the best way to keep someone logged into my website after I have verified the log in is correct.
I tried to have a look at "Keep Me Logged In" - the best approach where the most upvoted answer said that I should generate a token and then store this token in the database! Surely that is wholly unsecure because all it takes is a database hack and cookie editing to get into someone elses account?
Could someone please provide me the most currently up to date secure way of doing this? Thanks.
We recently posted a blog about secure authentication with long-term persistence (a.k.a "Remember Me"), but the largest difference between this blog post and ircmaxell's answer to "Keep Me Logged In" - the best approach is a separation of the lookup (which is not constant-time) and the validation (which is constant-time).
In the strategy we outlined in our blog post, you aren't storing tokens in the database, you're storing an SHA-256 hash of a token. If an attacker leaks these values, he has to crack SHA-256 hashes of strong random tokens. They're better off just launching a reverse shell that lets them authenticate as any user (or proceed to take over the entire machine with a local kernel exploit).
Use bcrypt. Specifically password_verify()
. Don't generate your own salts.
If you want to go the extra mile, consider this bcrypt + AES library to encrypt the password hashes (which is mostly helpful if you have your database and webserver on separate hardware, since compromising the database won't give them the encryption key).
When logging in:
rememberme
cookie.rememberme
cookie, grab the identifier and do a database search.hash_equals()
.