Posted by Anze on 01/02/07 12:40

Hi!

I'm trying to build a "Remember Me" auto-login feature but all solutions I
have seen on the Internet are done insecurely.
The way I see it, cookie is always transmitted in cleartext, so anyone could
steal it and acces the user's account without problems. At least in all
implementations I have seen.

What is more: I think there is no way to store data on client computer and
transmit it on challenge / response mechanism.

Am I right?


I thought I might have a solution to this, but when trying to implement it I
figured out that JS can't access SSL-only cookies. :(
This is the solution I had in mind (it can't be done, but anyway):
The cookie should be set SSL-only (even though we don't have SSL), but
readable by JavaScript.
Once the user comes (again) to the side, it gets a challenge string from
server. JS checks and notices the SSL-only cookie, makes a hash from the
SSL-only cookie and the challenge string, then set a normal cookie with it
and redirects the browser to the same page - which posts the normal cookie
to the server. Server then checks this normal cookie if it is a hash of
challenge+SSL-only cookie, and if so, it is OK. If not - login fails.

Unfortunately JS can't read SSL-only cookies and all non-SSL cookies are
transmitted as cleartext. :(


Any thoughts on how to implement secure "remember me" without SSL would be
appreciated. Even "it can't be done" would be helpful... :)

Best,

Anze

[Back to original message]