Using httpOnly cookies for device registration

Question

I have a mobile website where, as part of my security measures, I want users to "register" their device, so I can limit the number of devices that users can have accessing the site. My thought was, for a "new" device, put them through a two-factor authentication process, and store a server-sent GUID in an httpOnly cookie (over SSL) which will hold the GUID. When the user comes to the site and logs in using their username and password, the server will compare that cookie against their user record in the database, and if it's a match let's them log in.

So my question is: is this a valid/secure use of httpOnly cookies? Does the method that I'm describing for "device registration" make sense?

Thanks!

Answer 1

This would stop casual users from using multiple devices with your service, but it would be easy to circumvent as they could copy the cookie to another device. The HttpOnly flag simply restricts client-side script such as JavaScript from accessing the cookie, it does not prevent the user themselves accessing the cookie or force encryption of it in any way in the cookie jar.

You could make your solution work though with a little bit more engineering: Rolling tokens for each device. By this I mean it would give each client a new device ID on every login, and this mechanism will also invalidate the old one. This would cause a second device with a copy of the original cookie to be no longer able to use your service without separate registration and a count against your device limit.

Also, it might be better to use something other than GUIDs depending on the level of security needed as they are possibly predictable:

How secure are GUIDs in terms of predictability?

Are GUIDs safe for one-time tokens?