Question
When a user log in and check the "remember me" box, I generate a key (very random numbers on a md5) for it and save on it's cookies. If the user is not logged, my code check for a "remember me key" cookie, if it matches with a user, then he's logged in.
My question is, how do I stop users from coping their remember me key cookie and pass it to their friends? Because if they do that, the person who copied the cookie will be logged in without even knowing the password of the account, then they would access a premium account without buying it.
I can't bind the key to the ip, or else the remember me wouldn't work well, since lots of computers change ips very often. I though about saving the user agent and others browser infos, what do you think?
Solution
You can detect the sharing of cookies by regenerating the key for the cookie each time it's used. If someone gives a remember-me cookie to someone else (or it's stolen) and they both use it, then they will both end up with different keys after they use their cookie.
Only allow the most recently generated key for each account. If someone uses a key that doesn't match the database value, then invalidate all sessions associated with the user.
OTHER TIPS
My question is, how do I stop users from coping their remember me key cookie and pass it to their friends?
Best solution is not to use remember me: https://www.owasp.org/index.php/Guide_to_Authentication#Remember_Me
If you still want to then you could check the requesters browser and ip but then maybe your have useability issues. Limiting the number of concurrent sessions to 1 per paid user may deter the exploit you are concerned about.
https://stackoverflow.com/questions/14413592
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian