0

Many users want a possibility to autologin when they return to my website. I just finished to implement it and I have read several artcles about this question. For example, here. I use different tokens, hashes, etc and regularry update autologin cookies un DB information associated with these cookies.

The main problem is that if user A have a autologin cookie in his computer A, user B can stole this cookie and place it on another computer B and successfully autologin to the user's A account.

My main question is:

1. How to make sure that the person who enters with autologin cookie, really is user A from computer A and not user B from computer B?

There are 2 ways how to prevent it, but none of them are very useful:

  1. To check user's IP address. Mobile Internet users may have a different IP address every 5 minutes. So, this is not very useful. I just implemented an option that users can check a box if they want to allow autologin only from their recent IP address.

  2. To check the user-agent. I have implemented this and tested on Firefox. Worked fine. Then I started to test it on Chrome and almost every day my autologin cookie was not valid because Chrome updates almost every day and useragent changes.

2. Is there any easy way how to remove the browser version number from user agent so that I can check just the browser, etc but not the browser version number?

I'am logged in on Facebook for a long time - probably 1 year. Have many times updated the browser but my autologin cookie is still valid. Does it mean that they don't check the user agent?

3. Are there any other methods how to make sure that user who enters my website really is user A and not someone else?

Community
  • 1
  • 1
user1406271
  • 297
  • 1
  • 3
  • 12
  • If person B steals person's A credentials I don't see much you can do about it. If a user can spoof another user's credentials then you can bet they can spoof everything else you're going to check for as well. – apokryfos May 25 '16 at 10:30
  • Use sessions, in the end it's easier. – Charlotte Dunois May 25 '16 at 10:30

2 Answers2

1

Just make sure the autologin cookie's value cannot be guessed and that it uses the HttpOnly attribute (use Secure too if your site uses HTTPS).

Checking the IP address is not worth the degraded user experience. What's the point of a "remember me" feature that breaks if I change networks? I've implemented this in my CMS a long time ago and have had many complaints since :)

Checking the User-Agent is pointless - if someone manages to get access to the cookie they might just grab the User-Agent too.

Shira
  • 6,392
  • 2
  • 25
  • 27
0

How to make sure that the person who enters with autologin cookie, really is user A from computer A and not user B from computer B?

You don't. This isn't your concern. If they steal the authentication token, they're authenticated as that user. Dead stop.

Focus instead on making it nigh-impossible for anyone to steal said token without infecting the user with malware. This means:

  1. Use HTTPS everywhere.
  2. Set the cookies' HTTP-only flag to true.
  3. Set the cookies' secure flag to true.
  4. Make sure you're using a CSPRNG.
  5. Make sure you've securely implemented your long-term authentication and that it's optional.

There are 2 ways how to prevent it, but none of them are very useful

Neither of those prevent anything. IP addresses change rapidly for e.g. mobile users, and user agents aren't unique.

Is there any easy way how to remove the browser version number from user agent so that I can check just the browser, etc but not the browser version number?

What you're basically saying is "any Firefox user can impersonate any other Firefox user if they steal a token and that's somehow better than anyone impersonating a user if they can steal a token".

Are there any other methods how to make sure that user who enters my website really is user A and not someone else?

To be succinct: No.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206