“Remember Me” Login for website - Problem with different browsers/computers

StackOverflow https://stackoverflow.com/questions/4203029

Question

I'm trying to implement a "Remember Me" login functionality for an ASP.NET MVC site I'm building. I'm trying to use this approach http://jaspan.com/improved_persistent_login_cookie_best_practice (see 'Miller's Design' near top) and have it working to a degree.

Thus the work-flow is:

  1. User logs in and is issued a cryptographically secure random string + their database ID as a persistent cookie (lasting about 30 days). Secure string is stored in the database next to their user account record.
  2. User later comes back to site where browser presents the login cookie, the ID and secure key is looked up in the database and if match is found, the user is automatically authenticated.
  3. Once authenticated a new secure key is generated, stored in the database and new cookie issued.

I have this working fine, however, it doesn't work very well if the user logs in from multiple browsers or computers. Obviously different browsers will end up with a different secure key stored as a cookie, thus the work-flow becomes:

  1. User logs in from browser A, is issued a secure key as cookie, key is stored in database.
  2. User logs in from browser B, is issued a different secure key as cookie. Key is also stored in database, but overwrites the key generated from browser A.
  3. User visits site from browser A again, browser presents cookie issued from step 1. but it no longer matches because secure key was replaced in step 2. so user has to log in again. Another new key is generated and overwrites the key issued to browser B.
  4. Users visits from browser B again, key doesn't match, has to log in again etc. etc.

How do I solve this? Do I need to store and maintain multiple keys in the database? Am I even going about this the right way? I've noticed StackOverflow seems to manage this and remembers me from different browsers and computers.

Was it helpful?

Solution

From reading the article you linked, it seems to me like Miller's design is to store the random string and the username as a pair in a different table than the user-table. By using the random string as the index, you can have multiple simultaneous logins from the same user-name while still being reasonably well-protected from session hijacking.

Your description indicate that you store the random string inside the user-table, which would only allow one login at the time.

OTHER TIPS

You need a third item in your cookie, a 'series' token. This will represent a login event. Everytime the user logs into your system, it creates a new series, that doesn't change until they logout, or login again. You still have your token, ie Secured Key, that is updating on every request.

Here's some links to help with this implementation:

Database problems when allowing multiple browser persistent log ins

The definitive guide to form-based website authentication

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top